4.1.2. AES in f8-mode
4.1.2. AES in f8-mode
To encrypt UMTS (Universal Mobile Telecommunications System, as 3G networks) data, a solution (see [f8-a] [f8-b]) known as the f8-algorithm has been developed. On a high level, the proposed scheme is a variant of Output Feedback Mode (OFB) [HAC], with a more elaborate initialization and feedback function. As in normal OFB, the core consists of a block cipher. We also define here the use of AES as a block cipher to be used in what we shall call "f8-mode of operation" RTP encryption. The AES f8-mode SHALL use the same default sizes for session key and salt as AES counter mode.
Figure 4 shows the structure of block cipher, E, running in f8-mode.
IV
|
v
+------+
| |
+--->| E |
| +------+
| |
m -> (*) +-----------+-------------+-- ... ------+
| IV' | | | |
| | j=1 -> (*) j=2 -> (*) ... j=L-1 ->(*)
| | | | |
| | +-> (*) +-> (*) ... +-> (*)
| | | | | | | |
| v | v | v | v
| +------+ | +------+ | +------+ | +------+
k_e ---+--->| E | | | E | | | E | | | E |
| | | | | | | | | | |
+------+ | +------+ | +------+ | +------+
| | | | | | |
+------+ +--------+ +-- ... ----+ |
| | | |
v v v v
S(0) S(1) S(2) . . . S(L-1)
Figure 4. f8-mode of operation (asterisk, (*), denotes bitwise XOR). The figure represents the KG in Figure 3, when AES-f8 is used.
4.1.2.1. f8 Keystream Generation
The Initialization Vector (IV) SHALL be determined as described in Section 4.1.2.2 (and in Section 4.1.2.3 for SRTCP).
Let IV', S(j), and m denote n_b-bit blocks. The keystream, S(0) ||... || S(L-1), for an N-bit message SHALL be defined by setting IV' = E(k_e XOR m, IV), and S(-1) = 00..0. For j = 0,1,..,L-1 where L = N/n_b (rounded up to nearest integer if it is not already an integer) compute
S(j) = E(k_e, IV' XOR j XOR S(j-1))
Notice that the IV is not used directly. Instead it is fed through E under another key to produce an internal, "masked" value (denoted IV') to prevent an attacker from gaining known input/output pairs.
The role of the internal counter, j, is to prevent short keystream cycles. The value of the key mask m SHALL be
m = k_s || 0x555..5,
i.e., the session salting key, appended by the binary pattern 0101.. to fill out the entire desired key size, n_e.
The sender SHOULD NOT generate more than 2^32 blocks, which is sufficient to generate 2^39 bits of keystream. Unlike counter mode, there is no absolute threshold above (below) which f8 is guaranteed to be insecure (secure). The above bound has been chosen to limit, with sufficient security margin, the probability of degenerative behavior in the f8 keystream generation.
4.1.2.2. f8 SRTP IV Formation
The purpose of the following IV formation is to provide a feature which we call implicit header authentication (IHA), see Section 9.5.
The SRTP IV for 128-bit block AES-f8 SHALL be formed in the following way:
IV = 0x00 || M || PT || SEQ || TS || SSRC || ROC
M, PT, SEQ, TS, SSRC SHALL be taken from the RTP header; ROC is from the cryptographic context.
The presence of the SSRC as part of the IV allows AES-f8 to be used when a master key is shared between multiple streams within the same RTP session, see Section 9.1.
4.1.2.3. f8 SRTCP IV Formation
The SRTCP IV for 128-bit block AES-f8 SHALL be formed in the following way:
IV= 0..0 || E || SRTCP index || V || P || RC || PT || length || SSRC
where V, P, RC, PT, length, SSRC SHALL be taken from the first header in the RTCP compound packet. E and SRTCP index are the 1-bit and 31-bit fields added to the packet.