| >I don't propose to get into an extended debate about whether it is | >better to use SRTP or to use generic DTLS. That debate has already | >happened in IETF and SRTP is what the VoIP vendors are | >doing. However, the good news here is that you can use DTLS to key | >SRTP (draft-ietf-avt-dtls-srtp), so there's no need to invent a new | >key management scheme. | | Hmm, given this X-to-key-Y pattern (your DTLS-for-SRTP example, as | well as OpenVPN using ESP with TLS keying), I wonder if it's worth | unbundling the key exchange from the transport? A system I designed has this property: You can choose the key exchange mechanism separately from the encryption mechanism. In fact, the end user can select this (though generally he chooses one of a number of pre-defined options, which internally are just macros). The encryption mechanism is able to enforce a quality constraint on which keying mechanisms it's willing to deal with - e.g., only the NULL encryption mechanism is willing to accept the "NO_KEY" key exchange.
I did make a simplifying assumption that there is a linear ranking of quality for keying mechanisms, so that what an encryptor actually specifies is "at least this strength". There's a similar assumed ranking for encryption mechanisms. Negotiation is done by having each end specify which keying and encryption mechanisms it is willing to use (those it implements, filtered by user-specified constraints), and then choosing the "strongest" in the intersection of the mechanisms common to both. In principle, one could similarly choose an authentication mechanism. The linear ranking worked in the particular situation where I designed this but isn't generalizable. Without that, things get much more complex - you lose the nice property of the current implementation that the two ends need merely exchange what the implement, and then proceed independently to choose the "best" among the available choices (and always come to the same conclusions). All of this ignores a significant issue: Are keying and encryption (and authentication) mechanisms really independent of each other? I'm not aware of much work in this direction. Most of what's out there is negative results that, on the one hand, tell you that general independence theorems are impossible; but on the other, they tend to be based on clearly pathological combinations, which hints that independence theorems *might* be possible, if we knew how to constrain the different components to avoid the pathologies. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]