Created
May 23, 2012 00:31
-
-
Save luciferous/2772553 to your computer and use it in GitHub Desktop.
Javascript implementation of the key derivation algorithm in RFC3711.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var crypto = require("crypto"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 4.3.1. Key Derivation Algorithm | |
| Regardless of the encryption or message authentication transform that | |
| is employed (it may be an SRTP pre-defined transform or newly | |
| introduced according to Section 6), interoperable SRTP | |
| implementations MUST use the SRTP key derivation to generate session | |
| keys. Once the key derivation rate is properly signaled at the start | |
| of the session, there is no need for extra communication between the | |
| parties that use SRTP key derivation. | |
| packet index ---+ | |
| | | |
| v | |
| +-----------+ master +--------+ session encr_key | |
| | ext | key | |----------> | |
| | key mgmt |-------->| key | session auth_key | |
| | (optional | | deriv |----------> | |
| | rekey) |-------->| | session salt_key | |
| | | master | |----------> | |
| +-----------+ salt +--------+ | |
| Figure 5: SRTP key derivation. | |
| At least one initial key derivation SHALL be performed by SRTP, i.e., | |
| the first key derivation is REQUIRED. Further applications of the | |
| key derivation MAY be performed, according to the | |
| "key_derivation_rate" value in the cryptographic context. The key | |
| derivation function SHALL initially be invoked before the first | |
| packet and then, when r > 0, a key derivation is performed whenever | |
| index mod r equals zero. This can be thought of as "refreshing" the | |
| session keys. The value of "key_derivation_rate" MUST be kept fixed | |
| for the lifetime of the associated master key. | |
| Interoperable SRTP implementations MAY also derive session salting | |
| keys for encryption transforms, as is done in both of the pre- | |
| defined transforms. | |
| Let m and n be positive integers. A pseudo-random function family is | |
| a set of keyed functions {PRF_n(k,x)} such that for the (secret) | |
| random key k, given m-bit x, PRF_n(k,x) is an n-bit string, | |
| computationally indistinguishable from random n-bit strings, see | |
| [HAC]. For the purpose of key derivation in SRTP, a secure PRF with | |
| m = 128 (or more) MUST be used, and a default PRF transform is | |
| defined in Section 4.3.3. | |
| Let "a DIV t" denote integer division of a by t, rounded down, and | |
| with the convention that "a DIV 0 = 0" for all a. We also make the | |
| convention of treating "a DIV t" as a bit string of the same length | |
| as a, and thus "a DIV t" will in general have leading zeros. | |
| Key derivation SHALL be defined as follows in terms of <label>, an | |
| 8-bit constant (see below), master_salt and key_derivation_rate, as | |
| determined in the cryptographic context, and index, the packet index | |
| (i.e., the 48-bit ROC || SEQ for SRTP): | |
| * Let r = index DIV key_derivation_rate (with DIV as defined above). | |
| * Let key_id = <label> || r. | |
| * Let x = key_id XOR master_salt, where key_id and master_salt are | |
| aligned so that their least significant bits agree (right- | |
| alignment). | |
| <label> MUST be unique for each type of key to be derived. We | |
| currently define <label> 0x00 to 0x05 (see below), and future | |
| extensions MAY specify new values in the range 0x06 to 0xff for other | |
| purposes. The n-bit SRTP key (or salt) for this packet SHALL then be | |
| derived from the master key, k_master as follows: | |
| PRF_n(k_master, x). | |
| (The PRF may internally specify additional formatting and padding of | |
| x, see e.g., Section 4.3.3 for the default PRF.) | |
| The session keys and salt SHALL now be derived using: | |
| - k_e (SRTP encryption): <label> = 0x00, n = n_e. | |
| - k_a (SRTP message authentication): <label> = 0x01, n = n_a. | |
| - k_s (SRTP salting key): <label> = 0x02, n = n_s. | |
| where n_e, n_s, and n_a are from the cryptographic context. | |
| The master key and master salt MUST be random, but the master salt | |
| MAY be public. | |
| Note that for a key_derivation_rate of 0, the application of the key | |
| derivation SHALL take place exactly once. | |
| The definition of DIV above is purely for notational convenience. | |
| For a non-zero t among the set of allowed key derivation rates, "a | |
| DIV t" can be implemented as a right-shift by the base-2 logarithm of | |
| t. The derivation operation is further facilitated if the rates are | |
| chosen to be powers of 256, but that granularity was considered too | |
| coarse to be a requirement of this specification. | |
| The upper limit on the number of packets that can be secured using | |
| the same master key (see Section 9.2) is independent of the key | |
| derivation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment