Document: draft-ietf-avt-seed-srtp-09
Reviewer: Elwyn Davies
Review Date: 12 March 2009
IETF LC End Date: 27 March 2009
IESG Telechat date: (if known) -

Summary:
This draft is probably nearly ready for the IESG. Unfortunately I am not sufficiently much of a security/cryptographic expert to know if the alternative processing mechanisms and short (128 bit) key implications of the CCM and GCM modes are adequately discussed.

There are a couple of editorial nits to sort out also.

Issues:
s2.2 and s2.3:  In s2.2 (and by implication s2.3), the reverses the order of encryption and authentication as compared with the processing specified in s3.3 of RFC 3711 (SRTP) and uses a single 128 bit key. This is declared appropriately, but I wonder if (1) the revised processing should be spelt out more specifically and (2) I don't see any consideration of what differences, if any, this might make to the security of SRTP.  [Declaration: I am not a security expert and thiss may be totally obvious to an expert.].  However the second paragraph of s10 of RFC 3610 states that
>    Users of smaller key sizes (such as 128-bits) should take precautions
>    to make the precomputation attacks more difficult.  Repeated use of
>    the same nonce value (with different keys of course) ought to be
>    avoided.  One solution is to include a random value within the nonce.
>    Of course, a packet counter is also needed within the nonce.  Since
>    the nonce is of limited size, a random value in the nonce provides a
>    limited amount of additional security
>   
In the context of this, is the nonce considered to be adequately randomized  or is some other mechanism deemed to provide an adequate solution?  This is not  obvious to me - again it might be so for an expert.

Editorial:
Expansion of SEED:  Is this an acronym?  probably not but if so it should be expanded in the abstract.

s2.2: Length of Nonce: The connection between length of nonce  = 12 and L = 3 requires intimate knowledge of RFC 3710.  A pointer to section 2.1 of RFC 3710 would help together with the expression L = (15 - length of Nonce).

s8.2: neither of the URLs in the informative references appears to deliver an actual document, and certainly not in English.