Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improved AES GCM encryption, changed IV length to 12 bytes. #2962

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Improved AES GCM encryption, changed IV length to 12 bytes. #2962

wants to merge 5 commits into from

Conversation

maxsharabayko
Copy link
Collaborator

@maxsharabayko maxsharabayko commented Jun 20, 2024
edited
Loading

Changes

  • Changed the IV vector length to 12 bytes in the case of AES-GCM when peer's SRT version is 1.5.4 or above;
  • Fixed AAD byte order when peer's SRT version is 1.5.4 or above.

TODO

  • Raise SRT version to 1.5.4.

AES-CTR Initialisation Vector (IV)

The Initialisation Vector (IV) for the AES-CTR encryption mode is derived by exclusive ORing the first 112 bits of the Salt provided in the Keying Material with the packet sequence number (PktSeqNo) in the SRT header, and left-shifting the resulting value by 16 bits:

IV = (MSB(112, Salt) XOR PktSeqNo) << 16

Thus the counter (keystream) used by the AES engine is the 128-bit value obtained by concatenating the IV with the block counter ("ctr"):

 *    0   1   2   3   4   5  6   7   8   9   10  11  12  13  14  15   bytes
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+  ^
 * |                   0s                  |   PktSeqNo    |   0s  |  |
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+  |
 *                            XOR                                     | IV
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+          |
 * |                  nonce = MSB(112, Salt)               +          |
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+          v
 *                            (+)
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
 * |                   0s                                 |   ctr  |
 * +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+

To avoid using the same keystream twice the payload size MUST be less than 2^16 blocks of 128 bits.

AES-GCM Initialisation Vector (IV)

Starting from v1.5.4.

The Initialisation Vector (IV) for the AES-GCM encryption mode is derived by exclusive ORing the first 96 bits of the Salt provided in the Keying Material with the packet sequence number (PktSeqNo) in the SRT header:

IV = MSB(96, Salt) XOR PktSeqNo

Each outbound packet uses a 12-octet IV and an encryption key to form two outputs (RFC-7714):

  • a 16-octet first key block, which is used in forming the authentication tag, and
  • a keystream of octets, formed in blocks of 16 octets each.

With an IV taking 96 bits, there are always 128-96=32 bits for the block counter until it wraps around.

@maxsharabayko maxsharabayko added Type: Maintenance Work required to maintain or clean up the code [core] Area: Changes in SRT library core labels Jun 20, 2024
@maxsharabayko maxsharabayko added this to the v1.5.4 milestone Jun 20, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 20, 2024
View reviewed changes
haicrypt/cryspr.c Fixed Show fixed Hide fixed
haicrypt/cryspr.c Fixed Show fixed Hide fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
[core] Area: Changes in SRT library core Type: Maintenance Work required to maintain or clean up the code
Projects
None yet
Milestone
v1.5.4
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@maxsharabayko