The Camellia Algorithm and Its Use wiht the Secure Real-time Transport Protocol(SRTP)

This document describes the use of the Camellia block cipher algorithm in the Secure Real-time Transport Protocol (SRTP) for providing confidentiality for the Real-time Transport Protocol (RTP) traffic and for the control traffic for RTP, the Real-time Transport Control Protocol (RTCP) .

Camellia is a symmetric cipher with a Feistel structure. Camellia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to Advanced Encryption Standard (AES) . Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the AES. Therefore, it is easy to implement Camellia based algorithms by replacing the AES block of AES based algorithms with a Camellia block. Camellia already has been adopted by the IETF and other international standardization organizations; in particular, the IETF has published specifications for the use of Camellia with IPsec , TLS , S/MIME and XML Security . Camellia is one of the three ISO/IEC international standard 128-bit block ciphers (Camellia, AES, and SEED). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by the Japanese CRYPTREC (Cryptography Research and Evaluation Committees) . Since optimized source code is provided under several open source licenses , Camellia is also adopted by several open source projects (OpenSSL, GnuTLS, FreeBSD, and Linux). Camellia is also adopted by Mozilla and Camellia is ready for use with Firefox 3.0 released in June 2008. The algorithm specification and object identifiers are described in . The Camellia web site contains a wealth of information about Camellia, including detailed specification, security analysis, performance figures, reference implementation, optimized implementation, test vectors(TV), and intellectual property information.

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that appear in this document are to be interpreted as described in .

All symmetric block cipher algorithms share common characteristics and valuables, including mode, key size, weak keys, and block size. Camellia algorithm is specified as well as AES, those relations are following:

The default transforms also are mandatory-to-implement transforms in SRTP. Of course, "mandatory-to-implement" does not imply "mandatory- to-use". Table 1 summarizes the pre-defined transforms. The default values below are valid for the pre-defined transforms.

Table 1: Mandatory-to-implement, optional and default transforms in SRTP and SRTCP.

At the time of writing this document, there are no known weak keys for Camellia. Also, No security problem has been found on Camellia. Camellia is secure against all known attacks including Differential cryptanalysis, linear cryptanalysis, and related key attacks. The security considerations in RFC 5289 and Draft of AES-GCM and AES-CCM for SRTP apply to this document as well.

RFC 4568 defines SRTP "crypto suites"; also, defines a crypto suite corresponds to a particular AEAD algorithm in SRTP. In order to allow SDP to signal the use of the algorithms defined in this document, IANA will register the following crypto suites into the subregistry for SRTP crypto suites under the SRTP transport of the SDP Security Descriptions:

TBD.