SRTP Replay ProtectionA Technical Review

of ROC, Cryptographic

Context, Indices, and Sliding

Windows

Security Measure for SIPSIPS (or SIP over TLS) Per Hop Encryption of Transport SRTPSRTP End-to-End Protection of Media

Content Provides Confidentiality, Message

Authentication, and Replay Protection Encryption for Confidentiality Keyed Hash Function for Message

Authentication Counters for Replay Protection

What is a Replay Attack? Packet stored by an adversary,

and then injected back into the network.

Example - storing video of a surveillance camera and injecting it to the monitoring station to avoid surveillance

Message authentication provides integrity but is not enough

Replay Protection Definitions

Sequence Number ROC (Rollover Counter) Cryptographic Context Implicit Index Replay List Sliding Window Algorithm

Sequence Number Sequence Number (SEQNUM) =

16-bits Incremented up to 65,535 (64-

bits) Defined in the SRTP header

SEQNUM in the SRTP Header

ROC (Rollover Counter) 32-Bit Unsigned Counter Number of Times Sequence

Number Reset to Zero (After Passing Through 65,535)

Incremented By “1” When Wrapped

Maintained By SRTP (Not in the Header)

Cryptographic Context SRTP Creates Implicit Index from

Values in the Cryptographic Context

Includes State Information to Define Proper Security Measures

16-bit Sequence Number Also the Highest Received SRTP

Sequence Number  

Implicit Index Implicit (Not Carried in the

Packet) ROC + Sequence Number 48-bit (SEQNUM 16 + ROC 32) Per Packet Basis Also Used to Create Session Key

for Encryption and Authentication Index = 2^16 * ROC + SEQNUM

Implicit Index (cont.) Receiver Calculates Implicit Index Determines if Unique Before

Accepting the Packet Only Accepts if Within Sliding

Window Compares Index and Last Index

(contained in Cryptographic Context)

Replay List Maintained Only by Receiver SRTP Has to Provide

Authentication and Replay Protection

Contains Indices of Recently Received and Authenticated SRTP Packets

Sliding WindowDefault Window Size is 64 - If the attacker chooses a sequence number at random, and the window size is 64, there is a 99.9-percent likelihood (1–64/216) that the packet will be discarded

Sliding Window Only packets with index ahead of the

window, or, inside the window but not already received, SHALL be accepted.

Packets with sequence numbers < 64 packets behind the highest-numbered packet will be discarded

Packets > 64 packets ahead of the window are discarded

Discarded if “RECEIVED?” Bit = Set Packets Within the Window Accepted Packets Higher Than the Window Causes It

to Advanced

Sliding Window

Challenges for the Receiver

Receiver’s Window Size (RWS) Packets Arrive Out of Order Sequence Number May Have

Wrapped 32,768 (half of 16 bit) Also Packet Loss and Bit Errors

,

Karen LugoApril 8, 2013CSCI e 139