RFC 7714 – AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)

Internet Engineering Task Force (IETF)                         D. McGrew
Request for Comments: 7714                           Cisco Systems, Inc.
Category: Standards Track                                        K. Igoe
ISSN: 2070-1721                                 National Security Agency
                                                           December 2015


                     AES-GCM Authenticated Encryption
            in the Secure Real-time Transport Protocol ( SRTP )

Abstract

   This document defines how the AES-GCM Authenticated Encryption with
   Associated Data family of algorithms can be used to provide
   confidentiality and data authentication in the Secure Real-time
   Transport Protocol (SRTP).

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7714.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






 McGrew & Igoe Standards Track [ Page 1 ]
 
RFC 7714 AES-GCM for SRTP December 20151. Introduction ....................................................3
   2. Conventions Used in This Document ...............................4
   3. Overview of the SRTP/SRTCP AEAD Security Architecture ...........4
   4. Terminology .....................................................5
   5. Generic AEAD Processing .........................................6
      5.1. Types of Input Data ........................................6
      5.2. AEAD Invocation Inputs and Outputs .........................6
           5.2.1. Encrypt Mode ........................................6
           5.2.2. Decrypt Mode ........................................7
      5.3. Handling of AEAD Authentication ............................7
   6. Counter Mode Encryption .........................................7
   7. Unneeded SRTP/SRTCP Fields ......................................8
      7.1. SRTP/SRTCP Authentication Tag Field ........................8
      7.2. RTP Padding ................................................9
   8. AES-GCM Processing for SRTP .....................................9
      8.1. SRTP IV Formation for AES-GCM ..............................9
      8.2. Data Types in SRTP Packets ................................10
      8.3. Handling Header Extensions ................................11
      8.4. Prevention of SRTP IV Reuse ...............................12
   9. AES-GCM Processing of SRTCP Compound Packets ...................13
      9.1. SRTCP IV Formation for AES-GCM ............................13
      9.2. Data Types in Encrypted SRTCP Compound Packets ............14
      9.3. Data Types in Unencrypted SRTCP Compound Packets ..........16
      9.4. Prevention of SRTCP IV Reuse ..............................17
   10. Constraints on AEAD for SRTP and SRTCP ........................17
   11. Key Derivation Functions ......................................18
   12. Summary of AES-GCM in SRTP/SRTCP ..............................19
   13. Security Considerations .......................................20
      13.1. Handling of Security-Critical Parameters .................20
      13.2. Size of the Authentication Tag ...........................21
   14. IANA Considerations ...........................................21
      14.1. SDES .....................................................21
      14.2. DTLS-SRTP ................................................22
      14.3. MIKEY ....................................................23
   15. Parameters for Use with MIKEY .................................23
   16. Some RTP Test Vectors .........................................24
      16.1. SRTP AEAD_AES_128_GCM ....................................25
           16.1.1. SRTP AEAD_AES_128_GCM Encryption ..................25
           16.1.2. SRTP AEAD_AES_128_GCM Decryption ..................27
           16.1.3. SRTP AEAD_AES_128_GCM Authentication Tagging ......29
           16.1.4. SRTP AEAD_AES_128_GCM Tag Verification ............30
      16.2. SRTP AEAD_AES_256_GCM ....................................31
           16.2.1. SRTP AEAD_AES_256_GCM Encryption ..................31
           16.2.2. SRTP AEAD_AES_256_GCM Decryption ..................33
           16.2.3. SRTP AEAD_AES_256_GCM Authentication Tagging ......35
           16.2.4. SRTP AEAD_AES_256_GCM Tag Verification ............36



 McGrew & Igoe Standards Track [ Page 2 ]
RFC 7714 AES-GCM for SRTP December 201517. RTCP Test Vectors .............................................37
      17.1. SRTCP AEAD_AES_128_GCM Encryption and Tagging ............39
      17.2. SRTCP AEAD_AES_256_GCM Verification and Decryption .......41
      17.3. SRTCP AEAD_AES_128_GCM Tagging Only ......................43
      17.4. SRTCP AEAD_AES_256_GCM Tag Verification ..................44
   18. References ....................................................45
      18.1. Normative References .....................................45
      18.2. Informative References ...................................47
   Acknowledgements ..................................................48
   Authors' Addresses ................................................48

1. IntroductionRFC3711] is a profile
   of the Real-time Transport Protocol (RTP) [RFC3550], which can
   provide confidentiality, message authentication, and replay
   protection to the RTP traffic and to the control traffic for RTP, the
   Real-time Transport Control Protocol (RTCP).  It is important to note
   that the outgoing SRTP packets from a single endpoint may be
   originating from several independent data sources.

   Authenticated Encryption [BN00] is a form of encryption that, in
   addition to providing confidentiality for the Plaintext that is
   encrypted, provides a way to check its integrity and authenticity.
   Authenticated Encryption with Associated Data, or AEAD [R02], adds
   the ability to check the integrity and authenticity of some
   Associated Data (AD), also called "Additional Authenticated Data"
   (AAD), that is not encrypted.  This specification makes use of the
   interface to a generic AEAD algorithm as defined in [RFC5116].

   The Advanced Encryption Standard (AES) is a block cipher that
   provides a high level of security and can accept different key sizes.
   AES Galois/Counter Mode (AES-GCM) [GCM] is a family of AEAD
   algorithms based upon AES.  This specification makes use of the AES
   versions that use 128-bit and 256-bit keys, which we call "AES-128"
   and "AES-256", respectively.

   Any AEAD algorithm provides an intrinsic authentication tag.  In many
   applications, the authentication tag is truncated to less than full
   length.  In this specification, the authentication tag MUST NOT be
   truncated.  The authentications tags MUST be a full 16 octets in
   length.  When used in SRTP/SRTCP, AES-GCM will have two
   configurations:

      AEAD_AES_128_GCM      AES-128 with a 16-octet authentication tag
      AEAD_AES_256_GCM      AES-256 with a 16-octet authentication tag





 McGrew & Igoe Standards Track [ Page 3 ]
RFC 7714 AES-GCM for SRTP December 20152. Conventions Used in This DocumentRFC2119].

3. Overview of the SRTP/SRTCP AEAD Security ArchitectureSection 4.3 of [RFC3711].
         The master key MUST be at least as large as the encryption key
         derived from it.  Since AEAD algorithms such as AES-GCM combine
         encryption and authentication into a single process, AEAD
         algorithms do not make use of separate authentication keys.






 McGrew & Igoe Standards Track [ Page 4 ]
RFC 7714 AES-GCM for SRTP December 2015Section 8.1).
         SRTCP combines the SSRC and 31-bit SRTCP index with the
         encryption salt to form a 12-octet IV (see Section 9.1).

4. Terminology McGrew & Igoe Standards Track [ Page 5 ]
RFC 7714 AES-GCM for SRTP December 20155.2.2. Decrypt Mode5.3. Handling of AEAD Authentication6. Counter Mode Encryption McGrew & Igoe Standards Track [ Page 7 ]
RFC 7714 AES-GCM for SRTP December 20158.1 and 9.1) with a 4-octet block to AES.  The pseudocode
   below illustrates this process:

    def GCM_keystream( Plaintext_len, IV, Encryption_key ):
        assert Plaintext_len <= (2**36) - 32 ## measured in octets
        key_stream = ""
        block_counter = 1
        first_key_block = AES_ENC( data=IV||block_counter,
                                   key=Encryption_key )
        while len(key_stream) < Plaintext_len:
            block_counter = block_counter + 1
            key_block = AES_ENC( data=IV||block_counter,
                                 key=Encryption_key )
            key_stream = key_stream||key_block
        key_stream = truncate( key_stream, Plaintext_len )
        return( first_key_block, key_stream )

   In theory, this keystream generation process allows for the
   encryption of up to (2^36) - 32 octets per invocation (i.e., per
   packet), far longer than is actually required.

   With any counter mode, if the same (IV, Encryption_key) pair is used
   twice, precisely the same keystream is formed.  As explained in
   Section 9.1 of [RFC3711], this is a cryptographic disaster.  For GCM,
   the consequences are even worse, since such a reuse compromises GCM's
   integrity mechanism not only for the current packet stream but for
   all future uses of the current encryption_key.

7. Unneeded SRTP/SRTCP Fields7.1. SRTP/SRTCP Authentication Tag FieldSection 3.4 of
   [RFC3711], which makes the use of the SRTCP authentication tag field
   mandatory, but the presence of the AEAD authentication renders the
   older authentication methods redundant.




 McGrew & Igoe Standards Track [ Page 8 ]
RFC 7714 AES-GCM for SRTP December 2015RFC4771].
      This document retains the authentication tag field primarily to
      preserve compatibility with these applications.

7.2. RTP Padding8. AES-GCM Processing for SRTP8.1. SRTP IV Formation for AES-GCM McGrew & Igoe Standards Track [ Page 9 ]
RFC 7714 AES-GCM for SRTP December 20158.2. Data Types in SRTP Packets McGrew & Igoe Standards Track [ Page 10 ]
RFC 7714 AES-GCM for SRTP December 20158.3. Handling Header ExtensionsRFC3550].  [RFC6904]
   describes how these header extensions are to be encrypted in SRTP.

   When RFC 6904 is in use, a separate keystream is generated to encrypt
   selected RTP header extension elements.  For the AEAD_AES_128_GCM
   algorithm, this keystream MUST be generated in the manner defined in
   [RFC6904], using the AES Counter Mode (AES-CM) transform.  For the



 McGrew & Igoe Standards Track [ Page 11 ]
RFC 7714 AES-GCM for SRTP December 20158.4. Prevention of SRTP IV ReuseRFC3711] allows the
                          detection of SSRC collisions after they
                          happen, SRTP using GCM with shared master keys
                          MUST prevent an SSRC collision from happening
                          even once.

      SSRC Management:    For a given master key, the set of all SSRC
                          values used with that master key must be
                          partitioned into disjoint pools, one pool for
                          each endpoint using that master key to
                          originate outbound data.  Each such
                          originating endpoint MUST only issue SSRC
                          values from the pool it has been assigned.
                          Further, each originating endpoint MUST
                          maintain a history of outbound SSRC



 McGrew & Igoe Standards Track [ Page 12 ]
RFC 7714 AES-GCM for SRTP December 20159. AES-GCM Processing of SRTCP Compound Packets9.1. SRTCP IV Formation for AES-GCM McGrew & Igoe Standards Track [ Page 13 ]
RFC 7714 AES-GCM for SRTP December 20159.2. Data Types in Encrypted SRTCP Compound PacketsRFC 3550.)












 McGrew & Igoe Standards Track [ Page 14 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 15 ]
RFC 7714 AES-GCM for SRTP December 20159.3. Data Types in Unencrypted SRTCP Compound Packets McGrew & Igoe Standards Track [ Page 16 ]
RFC 7714 AES-GCM for SRTP December 20159.4. Prevention of SRTCP IV ReuseSection 8.4 also apply.

10. Constraints on AEAD for SRTP and SRTCP McGrew & Igoe Standards Track [ Page 17 ]
RFC 7714 AES-GCM for SRTP December 201511. Key Derivation FunctionsRFC3711].  AEAD_AES_256_GCM MUST use the
   AES_256_CM_PRF KDF described in [RFC6188].












 McGrew & Igoe Standards Track [ Page 18 ]
RFC 7714 AES-GCM for SRTP December 201512. Summary of AES-GCM in SRTP/SRTCPRFC5116].  The
   following members of the AES-GCM family may be used with SRTP/SRTCP:

     Name                 Key Size      AEAD Tag Size      Reference
     ================================================================
     AEAD_AES_128_GCM     16 octets     16 octets          [RFC5116]
     AEAD_AES_256_GCM     32 octets     16 octets          [RFC5116]

                Table 1: AES-GCM Algorithms for SRTP/SRTCP

   Any implementation of AES-GCM SRTP MUST support both AEAD_AES_128_GCM
   and AEAD_AES_256_GCM.  Below, we summarize parameters associated with
   these two GCM algorithms:

     +--------------------------------+------------------------------+
     | Parameter                      | Value                        |
     +--------------------------------+------------------------------+
     | Master key length              | 128 bits                     |
     | Master salt length             | 96 bits                      |
     | Key Derivation Function        | AES_CM PRF [RFC3711]         |
     | Maximum key lifetime (SRTP)    | 2^48 packets                 |
     | Maximum key lifetime (SRTCP)   | 2^31 packets                 |
     | Cipher (for SRTP and SRTCP)    | AEAD_AES_128_GCM             |
     | AEAD authentication tag length | 128 bits                     |
     +--------------------------------+------------------------------+

                Table 2: The AEAD_AES_128_GCM Crypto Suite















 McGrew & Igoe Standards Track [ Page 19 ]
RFC 7714 AES-GCM for SRTP December 2015RFC6188]     |
     | Maximum key lifetime (SRTP)    | 2^48 packets                 |
     | Maximum key lifetime (SRTCP)   | 2^31 packets                 |
     | Cipher (for SRTP and SRTCP)    | AEAD_AES_256_GCM             |
     | AEAD authentication tag length | 128 bits                     |
     +--------------------------------+------------------------------+

                Table 3: The AEAD_AES_256_GCM Crypto Suite

13. Security Considerations13.1. Handling of Security-Critical Parameters McGrew & Igoe Standards Track [ Page 20 ]
RFC 7714 AES-GCM for SRTP December 201513.2. Size of the Authentication Tag14. IANA Considerations14.1. SDESRFC4568] defines SRTP "crypto suites".  A crypto suite
   corresponds to a particular AEAD algorithm in SRTP.  In order to
   allow security descriptions to signal the use of the algorithms
   defined in this document, IANA has registered the following crypto
   suites in the "SRTP Crypto Suite Registrations" subregistry of the
   "Session Description Protocol (SDP) Security Descriptions" registry.
   The ABNF [RFC5234] syntax is as follows:

      srtp-crypto-suite-ext = "AEAD_AES_128_GCM"    /
                              "AEAD_AES_256_GCM"    /
                              srtp-crypto-suite-ext

























 McGrew & Igoe Standards Track [ Page 21 ]
RFC 7714 AES-GCM for SRTP December 201514.2. DTLS-SRTPRFC5764] defines DTLS-SRTP "SRTP protection profiles".
   These profiles also correspond to the use of an AEAD algorithm in
   SRTP.  In order to allow the use of the algorithms defined in this
   document in DTLS-SRTP, IANA has registered the following SRTP
   protection profiles:

         SRTP_AEAD_AES_128_GCM    = {0x00, 0x07}
         SRTP_AEAD_AES_256_GCM    = {0x00, 0x08}

   Below, we list the SRTP transform parameters for each of these
   protection profiles.  Unless separate parameters for SRTP and SRTCP
   are explicitly listed, these parameters apply to both SRTP and SRTCP.

    SRTP_AEAD_AES_128_GCM
         cipher:                 AES_128_GCM
         cipher_key_length:      128 bits
         cipher_salt_length:     96 bits
         aead_auth_tag_length:   16 octets
         auth_function:          NULL
         auth_key_length:        N/A
         auth_tag_length:        N/A
         maximum lifetime:       at most 2^31 SRTCP packets and
                                   at most 2^48 SRTP packets

    SRTP_AEAD_AES_256_GCM
         cipher:                 AES_256_GCM
         cipher_key_length:      256 bits
         cipher_salt_length:     96 bits
         aead_auth_tag_length:   16 octets
         auth_function:          NULL
         auth_key_length:        N/A
         auth_tag_length:        N/A
         maximum lifetime:       at most 2^31 SRTCP packets and
                                   at most 2^48 SRTP packets

   Note that these SRTP protection profiles do not specify an
   auth_function, auth_key_length, or auth_tag_length, because all
   of these profiles use AEAD algorithms and thus do not use a
   separate auth_function, auth_key, or auth_tag.  The term
   "aead_auth_tag_length" is used to emphasize that this refers to
   the authentication tag provided by the AEAD algorithm and that
   this tag is not located in the authentication tag field provided by
   SRTP/SRTCP.






 McGrew & Igoe Standards Track [ Page 22 ]
RFC 7714 AES-GCM for SRTP December 201514.3. MIKEYRFC3830],
   IANA maintains several subregistries under "Multimedia Internet
   KEYing (MIKEY) Payload Name Spaces".  Per this document, additions
   have been made to two of the MIKEY subregistries.

   In the "MIKEY Security Protocol Parameters" subregistry, the
   following has been added:

      Type | Meaning                         | Possible Values
      --------------------------------------------------------
        20 | AEAD authentication tag length  | 16 octets

   This list is, of course, intended for use with GCM.  It is
   conceivable that new AEAD algorithms introduced at some point in the
   future may require a different set of authentication tag lengths.

   In the "Encryption algorithm (Value 0)" subregistry (derived from
   Table 6.10.1.b of [RFC3830]), the following has been added:

        SRTP Encr. | Value | Default Session   |  Default Auth.
        Algorithm  |       | Encr. Key Length  |   Tag Length
      -----------------------------------------------------------
        AES-GCM    |    6  |    16 octets      |  16 octets

   The encryption algorithm, session encryption key length, and AEAD
   authentication tag sizes received from MIKEY fully determine the AEAD
   algorithm to be used.  The exact mapping is described in Section 15.

15. Parameters for Use with MIKEY McGrew & Igoe Standards Track [ Page 23 ]
 
RFC 7714 AES-GCM for SRTP December 2015Section 11 of this document restricts the choice of KDF for AEAD
   algorithms.  To enforce this restriction in MIKEY, we require that
   the SRTP Pseudorandom Function (PRF) has value AES-CM whenever an
   AEAD algorithm is used.  Note that, according to Section 6.10.1 of
   [RFC3830], the input key length of the KDF (i.e., the SRTP master key
   length) is always equal to the session encryption key length.  This
   means, for example, that AEAD_AES_256_GCM will use AES_256_CM_PRF as
   the KDF.

16. Some RTP Test VectorsSection 8.1, the IV is formed by XORing two 12-octet
   values.  The first 12-octet value is formed by concatenating two
   zero octets, the 4-octet SSRC (found in the ninth through 12th octets
   of the packet), the 4-octet rollover counter (ROC) maintained at each
   end of the link, and the 2-octet sequence number (SEQ) (found in the
   third and fourth octets of the packet).  The second 12-octet value is
   the salt, a value that is held constant at least until the key is
   changed.

              | Pad |   SSRC    |    ROC    | SEQ |
               00 00 55 01 a0 b2 00 00 00 00 f1 7b
        salt   51 75 69 64 20 70 72 6f 20 71 75 6f
               ------------------------------------
          IV   51 75 3c 65 80 c2 72 6f 20 71 84 14

   All of the RTP examples use this IV.







 McGrew & Igoe Standards Track [ Page 24 ]
RFC 7714 AES-GCM for SRTP December 201516.1. SRTP AEAD_AES_128_GCM16.1.1. SRTP AEAD_AES_128_GCM Encryption McGrew & Igoe Standards Track [ Page 25 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 26 ]
RFC 7714 AES-GCM for SRTP December 201516.1.2. SRTP AEAD_AES_128_GCM Decryption McGrew & Igoe Standards Track [ Page 27 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 28 ]
RFC 7714 AES-GCM for SRTP December 201516.1.3. SRTP AEAD_AES_128_GCM Authentication Tagging McGrew & Igoe Standards Track [ Page 29 ]
RFC 7714 AES-GCM for SRTP December 201516.1.4. SRTP AEAD_AES_128_GCM Tag Verification McGrew & Igoe Standards Track [ Page 30 ]
RFC 7714 AES-GCM for SRTP December 201516.2. SRTP AEAD_AES_256_GCM16.2.1. SRTP AEAD_AES_256_GCM Encryption McGrew & Igoe Standards Track [ Page 31 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 32 ]
RFC 7714 AES-GCM for SRTP December 201516.2.2. SRTP AEAD_AES_256_GCM Decryption McGrew & Igoe Standards Track [ Page 33 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 34 ]
RFC 7714 AES-GCM for SRTP December 201516.2.3. SRTP AEAD_AES_256_GCM Authentication Tagging McGrew & Igoe Standards Track [ Page 35 ]
RFC 7714 AES-GCM for SRTP December 201516.2.4. SRTP AEAD_AES_256_GCM Tag Verification McGrew & Igoe Standards Track [ Page 36 ]
RFC 7714 AES-GCM for SRTP December 201517. RTCP Test VectorsSection 9.1, the IV is formed by XORing two 12-octet
   values.  The first 12-octet value is formed by concatenating
   two zero octets, the 4-octet SSRC (found in the fifth through
   eighth octets of the RTP packet), another two padding octets, and the
   31-bit SRTCP index, right-justified in a 32-bit = 4-octet field with
   a single "0" bit prepended as padding.  An example of SRTCP IV
   formation is shown below:

             | Pad |   SSRC    | Pad |  0+SRTCP  |
              00 00 4d 61 72 73 00 00 00 00 05 d4
       salt   51 75 69 64 20 70 72 6f 20 71 75 6f
              ------------------------------------
         IV   51 75 24 05 52 03 72 6f 20 71 70 bb

   In an SRTCP packet, a 1-bit Encryption flag is prepended to the
   31-bit SRTCP index to form a 32-bit value we shall call the
   "ESRTCP word".  The E-flag is one if the SRTCP packet has been
   encrypted and zero if it has been tagged but not encrypted.  Note
   that the ESRTCP field is only present in an SRTCP packet, not in an
   RTCP packet.  The full ESRTCP word is part of the AAD.







 McGrew & Igoe Standards Track [ Page 37 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 38 ]
RFC 7714 AES-GCM for SRTP December 201517.1. SRTCP AEAD_AES_128_GCM Encryption and Tagging McGrew & Igoe Standards Track [ Page 39 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 40 ]
RFC 7714 AES-GCM for SRTP December 201517.2. SRTCP AEAD_AES_256_GCM Verification and Decryption McGrew & Igoe Standards Track [ Page 41 ]
RFC 7714 AES-GCM for SRTP December 2015 McGrew & Igoe Standards Track [ Page 42 ]
RFC 7714 AES-GCM for SRTP December 201517.3. SRTCP AEAD_AES_128_GCM Tagging Only McGrew & Igoe Standards Track [ Page 43 ]
RFC 7714 AES-GCM for SRTP December 201517.4. SRTCP AEAD_AES_256_GCM Tag Verification McGrew & Igoe Standards Track [ Page 44 ] 
RFC 7714 AES-GCM for SRTP December 201518.2. Informative ReferencesBN00]     Bellare, M. and C. Namprempre, "Authenticated Encryption:
              Relations among notions and analysis of the generic
              composition paradigm", Proceedings of ASIACRYPT 2000,
              Springer-Verlag, LNCS 1976, pp. 531-545,
              DOI 10.1007/3-540-44448-3_41,
              .

   [GCM]      Dworkin, M., "NIST Special Publication 800-38D:
              Recommendation for Block Cipher Modes of Operation:
              Galois/Counter Mode (GCM) and GMAC", U.S. National
              Institute of Standards and Technology, November 2007,
              .

   [R02]      Rogaway, P., "Authenticated-Encryption with Associated-
              Data", ACM Conference on Computer and Communications
              Security (CCS'02), pp. 98-107, ACM Press,
              DOI 10.1145/586110.586125, September 2002,
              .

   [RFC4771]  Lehtovirta, V., Naslund, M., and K. Norrman, "Integrity
              Transform Carrying Roll-Over Counter for the Secure
              Real-time Transport Protocol (SRTP)", RFC 4771,
              DOI 10.17487/RFC4771, January 2007,
              .
























 McGrew & Igoe Standards Track [ Page 47 ]
RFC 7714 AES-GCM for SRTP December 2015http://www.mindspring.com/~dmcgrew/dam.htm


   Kevin M. Igoe
   NSA/CSS Commercial Solutions Center
   National Security Agency

   Email: mythicalkevin@yahoo.com

























McGrew & Igoe                Standards Track                   [Page 48]
informant : https://coinselected.com
Category : crypto topics

Leave a Reply

Your email address will not be published.