End-to-End Secure Objects for Media over QUIC Transport

End-to-End Secure Objects for Media over QUIC Transport Cisco

fluffy@cisco.com

Cisco

snandaku@cisco.com

Cisco

rlb@ipv.sx

Applications and Real-Time Internet-Draft This document describes an end-to-end authenticated encryption scheme for application objects intended to be delivered over Media over QUIC Transport (MOQT). We reuse the SFrame scheme for authenticated encryption of media objects, while suppressing data that would be redundant between SFrame and MOQT, for an efficient on-the-wire representation. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Media over QUIC Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Media Over QUIC Transport (MOQT) is a protocol that is optimized for the QUIC protocol, either directly or via WebTransport, for the dissemination of delivery of low latency media . MOQT defines a publish/subscribe media delivery layer across set of participating relays for supporting wide range of use-cases with different resiliency and latency (live, interactive) needs without compromising the scalability and cost effectiveness associated with content delivery networks. It supports sending media objects through sets of relays nodes. Typically a MOQ Relay doesn't need to access the media content, thus allowing the media to be "end-to-end" encrypted so that it cannot be decrypted by the relays. However for a relay to participate effectively in the media delivery, it needs to access naming information of a MOQT object to carryout the required store and forward functions. As such, two layers of security are required:

Hop-by-hop (HBH) security between two MOQT relays
End-to-end (E2E) security from the Original Publisher of an MOQT object to End Subscribers

The HBH security is provided by TLS in the QUIC connection that MOQT runs over. MOQT support different E2EE protection as well as allowing for E2EE security. This document defines a scheme for E2E authenticated encryption of MOQT objects. This scheme is based on the SFrame mechanism for authenticated encryption of media objects . However, a secondary goal of this design is to minimize the amount of additional data the encryptions requires for each object. This is particularly important for very low bit rate audio applications where the encryption overhead can increase overall bandwidth usage by a significant percentage. To minimize the overhead added by end-to-end encryption, certain fields that would be redundant between MOQT and SFrame are not transmitted. The encryption mechanism defined in this specification can only be used in application context where object IDs never more than 32 bits long.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

E2EE:: End to End Encryption
HBH:: Hop By Hop
varint:: variable length integer, section 1.3

Notational Conventions This document uses the conventions detailed in ( Section 1.3) when describing the binary encoding.

Serialized Full Track Name Serialized Full Track Name is composed of MOQT Track Namespace and Track Name as shown below: The Serialize operation follows the same on-the-wire encoding for Track Name Space and Track Name as defined in Section 2.4.1 of . This mandates that the serialization of Track Namespace tuples starts with varint encoded count of tuples. This is followed by encoding corresponding to each tuple. Each tuple's encoding starts with varint encoded length for the count of bytes and bytes representing the content of the tuple. The Track Name is varint encoded length followed by sequence of bytes that identifies an individual track within the namespace. The + represents concatenation of byte strings.

MOQT Object Model Recap MOQT defines a publish/subscribe based media delivery protocol, where in endpoints, called original publishers, publish objects which are delivered via participating relays to receiving endpoints, called end subscribers. Section 2 of defines hierarchical object model for application data, comprised of objects, groups and tracks. Objects defines the basic data element, an addressable unit whose payload is sequence of bytes. All objects belong to a group, indicating ordering and potential dependencies. A track contains has collection of groups and serves as the entity against which a subscribers issue subscription requests.

The combination of Track Namespace, Track Name, Group ID and Object ID are globally unique in a given relay network.
The data inside an MOQT Object (and its size) can never change after the Object is first published. There can never be two Objects with the same name but different data.

One of the ways system keep the Object names unique is by using a fully qualified domain names or UUIDs as part of the TrackNamespace.

Secure Objects Section 10.2.1 defines fields of a canonical MOQT Object. The protection scheme defined in this draft encrypts the Object Payload and Private header extensions. The scheme authenticates the Group ID, Object ID, Immutable Header Extensions (Section 11.2 of }} and Object Payload fields, regardless of the on-the-wire encoding of the objects over QUIC Datagrams or QUIC streams.

Extensions MOQT defines two types of Object Header Extensions, public (or mutable) and immutable. This specification uses MOQT immutable extensions to convey authenticated metadata and adds Private Object header extensions (see ). Private extensions are serialized and encrypted along with the Object payload, decrypted and deserialized by the receiver. This specification further defines Secure Object KID extension (see ), which is transmitted within the immutable extensions.

Setup Assumptions The application assigns each track a set of (Key ID, track_base_key) tuples, where each track_base_key is known only to authorized original publishers and end subscribers for a given track. How these per-track secrets are established is outside the scope of this specification. The application also defines which Key ID should be used for a given encryption operation. For decryption, the Key ID is obtained from the Secure Object KID header extension that is contained with in the immutable header extension of the Object). Applications determine the ciphersuite to be used for each track's encryption context. Any SFrame ciphersuite can be used.

Application Procedure This section provides steps for applications over MOQT to use mechanisms defined in this specification.

Object Encryption To encrypt a MOQT Object, the application performs the following to produce the plaintext input: Call the MOQT Object's payload as original_payload. pt = Serialize(original_payload) + Serialize(Private header extensions) The serialization for Private header extensions follows the rules defined in section 10.2.1.2 of . The serialzation of the MOQT Object Payload, i.e original_payload, has varint encoded count of the bytes in the payload followed by the original_payload bytes. MOQT Object Payload = encrypt(pt) The output of the encrypt operation is a chiphertext which is set as the payload for the MOQT Object, thus replacing the original_payload. The length of the ciphertext now reflects the encrypted length of original_payload as well as the private header extensions.

Object Decryption To decrypt a MOQT Object, the Object payload is provided as ciphertext input, to obtain the plaintext. Applications deserialize the plaintext to extract private header extensions and the application's original_payload. The following deserialization steps are performed: Let input_payload be the decrypted MOQT Object Payload.

original_payload_length = read_varint(input_payload)
original_payload = read_bytes(input_payload, original_payload_length)

Read varint to obtain the original_payload length.
Read original_payload length bytes, call it output_payload.
If there exists no more data, this is the case of zero private header extensions. So return an empty private extension stucture by setting Type to 0xA and length to 0 and MOQT Object after updating the input_payload and its length to the output_payload.
Else, read 16 bits and if its value doesn't match 0XA, drop the incoming object, else parse the rest of bits as Private header extension. Finally return parsed private extensions and MOQT object after updating the input_payload and its length to the output_payload.

If parsing fails at any stage, drop the received MOQT Object.

Encryption Schema MOQT secure object protection relies on an SFrame cipher suite to define the AEAD encryption algorithm and hash algorithm in use . We will refer to the following aspects of the AEAD and the hash algorithm below:

AEAD.Encrypt and AEAD.Decrypt - The encryption and decryption functions for the AEAD. We follow the convention of RFC 5116 and consider the authentication tag part of the ciphertext produced by AEAD.Encrypt (as opposed to a separate field as in SRTP ).
AEAD.Nk - The size in bytes of a key for the encryption algorithm
AEAD.Nn - The size in bytes of a nonce for the encryption algorithm
AEAD.Nt - The overhead in bytes of the encryption algorithm (typically the size of a "tag" that is added to the plaintext)
AEAD.Nka - For cipher suites using the compound AEAD described in , the size in bytes of a key for the underlying encryption algorithm
Hash.Nh - The size in bytes of the output of the hash function

Metadata Authentication The Key ID, Full Track Name, Immutable Header Extensions, Group ID, and Object ID for a given MOQT Object are authenticated as part of secure object encryption. This ensures, for example, that encrypted objects cannot be replayed across tracks. When protecting or unprotecting a secure object, the following data structure captures the input to the AEAD function's AAD argument:

Track Namespace is serialized as in section 2.4.1 of MOQT.

Serialized Immutable Extensions MUST include the Secure Object KID header extension containing the Key ID.

Nonce Formation The Group ID and Object ID for an object are used to form a 96-bit counter (CTR) value, which XORed with a salt to form the nonce used in AEAD encryption. The counter value is formed by bitwise concatenating the Group ID as 64 bit integer and Object ID as 32 bit integer. This encryption/decryption will fail if applied to an object where group ID is larger than 2⁶⁴ or the object ID is larger than 2³² and the MOQT Object MUST NOT be processed further.

Key Derivation Encryption and decryption use a key and salt derived from the track_base_key associated with a Key ID. Given a track_base_key value, the key and salt are derived using HMAC-based Key Derivation Function (HKDF) as follows: In the derivation of moq_secret:

The + operator represents concatenation of byte strings.
The Key ID value is encoded as an 8-byte big-endian integer.
The cipher_suite value is a 2-byte big-endian integer representing the cipher suite in use (see ).

The hash function used for HKDF is determined by the cipher suite in use.

Encryption MOQT secure object encryption uses the AEAD encryption algorithm for the cipher suite in use. The key for the encryption is the moq_key derived from the track_base_key . The nonce is formed by first XORing the moq_salt with the current CTR value , and then encoding the result as a big-endian integer of length AEAD.Nn. The Private extensions and Object payload field from the MOQT object is used by the AEAD algorithm for the plaintext. The encryptor forms an SecObj header using the Key ID value provided. The encryption procedure is as follows:

Obtain the plaintext payload to encrypt from the MOQT object. Extract the Group ID, Object ID, and the Serialized Immutable Header Extension from the MOQT object envelope. Ensure the Secure Object KID header extension is included, with the Key ID set as its value.
Retrieve the moq_key and moq_salt matching the Key ID.
Form the aad input as described in .
Form the nonce by as described in .
Apply the AEAD encryption function with moq_key, nonce, aad, MOQT Object payload and serialized private header exntenions as inputs (see ).

The final SecureObject is formed from the MOQT transport headers, followed by the output of the encryption.

Decryption For decrypting, the Key ID from the Secure Object KID header extension contained within immutable header extension is used to find the right key and salt for the encrypted object. The MOQT track information matching the Key ID along with Group ID and Object ID fields of the MOQT object header are used to form the nonce. The decryption procedure is as follows:

Parse the SecureObject to obtain Key ID, the ciphertext corresponding to MOQT object payload and the Group ID and Object ID from the MOQT object envelope.
Retrieve the moq_key, moq_salt and MOQT track information matching the Key ID.
Form the aad input as described in .
Form the nonce by as described in .
Apply the AEAD decryption function with moq_key, nonce, aad and ciphertext as inputs.
Decode the private extension headers, returning both the headers and the object payload.

If extracting Key ID fails either due to missing Secure Object KID extension within immutable haeader extension or error from parsing, the client MUST discard the received MOQT Object. If a ciphertext fails to decrypt because there is no key available for the Key ID value presented, the client MAY buffer the ciphertext and retry decryption once a key with that Key ID is received. If a ciphertext fails to decrypt for any other reason, the client MUST discard the ciphertext. Invalid ciphertexts SHOULD be discarded in a way that is indistinguishable (to an external observer) from having processed a valid ciphertext. In other words, the decryption operation should take the same amount of time regardless of whether decryption succeeds or fails.

Header Extensions

Key ID Extension Key ID (Extension Header Type 0x2) is a variable length integer and identifies the keying material (keys, nonces and associated context for the MOQT Track) to be used for a given MOQT track. The Key ID extension is included within the Immutable Header extension. All objects encoded MUST include the Key ID header extension when using this specification for object encryption.

Private Extension The Private Extensions (Extension Header Type 0xA) contains a sequence of Key-Value-Pairs (see section 1.4.2 ) which are also Object Extension Headers of the Object. This extension can be added by the Original Publisher and considered part of the Object Payload.

Security Considerations The cryptographic computations described in this document are exactly those performed in the SFrame encryption scheme defined in , The scheme in this document is effectively a "virtualized" version of SFrame:

The CTR value used in nonce formation is not carried in the object payload, but instead synthesized from the GroupID and ObjectID.
The AAD for the AEAD operation is not sent on the wire (as with the SFrame Header), but constructed locally by the encrypting and decrypting endpoints.
The format of the AAD is different:
- The SFrame Header is constructed using QUIC-style varints, instead of the variable-length integer scheme defined in SFrame.
- The GroupID and GroupID are sent directly, not as the packed CTR value.
The metadata input in to SFrame operations is defined to be the FullTrackName value for the object.
The labels used in key derivation reflect MOQ usage, not generic SFrame.

The security considerations discussed in the SFrame specification thus also apply here. The SFrame specification lists several things that an application needs to account for in order to use SFrame securely, which are all accounted for here:

Header value uniqueness: Uniqueness of CTR values follows from the uniqueness of MOQT (GroupID, ObjectID) pairs. We only use one Key ID value, but instead use distinct SFrame contexts with distinct keys per track. This assures that the same (track_base_key, Key ID, CTR) tuple is never used twice.
Key management: We delegate this to the MOQT application, with subject to the assumptions described in .
Anti-replay: Replay is not possible within the MOQT framework because of the uniqueness constraints on ObjectIDs and objects, and because the group ID and object ID are cryptographically bound to the secure object payload.
Metadata: The analogue of the SFrame metadata input is defined in .

Any of the SFrame ciphersuites defined in the IANA SFrame Cipher Suites registry can be used to protect MOQT objects. The caution against short tags in still applies here, but the MOQT environment provides some safeguards that make it safer to use short tags, namely:

MOQT has hop-by-hop protections provided by the underlying QUIC layer, so a brute-force attack could only be mounted by a relay.
MOQT tracks have predictable object arrival rates, so a receiver can interpret a large deviation from this rate as a sign of an attack.
The the binding of the secure object payload to other MOQT parameters (as metadata), together with MOQT's uniqueness properties ensure that a valid secure object payload cannot be replayed in a different context.

IANA Considerations This document defines a new MOQT Object extension header for carrying Key ID value, under the MOQ Extension Headers registry.

Type	Value
0x2	Seucure Object KID - see

References Normative References Media over QUIC Transport Cisco Google Google Meta This document defines the core behavior for Media over QUIC Transport (MOQT), a media transport protocol designed to operate over QUIC and WebTransport, which have similar functionality. MOQT allows a producer of media to publish data and have it consumed via subscription by a multiplicity of endpoints. It supports intermediate content distribution networks and is designed for high scale and low latency distribution. QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media. This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Secure Frame (SFrame): Lightweight Authenticated Encryption for Real-Time Media This document describes the Secure Frame (SFrame) end-to-end encryption and authentication mechanism for media frames in a multiparty conference call, in which central media servers (Selective Forwarding Units or SFUs) can access the media metadata needed to make forwarding decisions without having access to the actual media. This mechanism differs from the Secure Real-Time Protocol (SRTP) in that it is independent of RTP (thus compatible with non-RTP media transport) and can be applied to whole media frames in order to be more bandwidth efficient. An Interface and Algorithms for Authenticated Encryption This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] HMAC-based Extract-and-Expand Key Derivation Function (HKDF) This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes. Informative References SFrame Cipher Suites IANA The Secure Real-time Transport Protocol (SRTP) This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]

Acknowledgements Thanks to Alan Frindell for providing text on adding private extensions.