[html5] r5967 - [giow] (0) Make the PeerConnection UDP data media stream feature prevent replay [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Mar 28 16:58:06 PDT 2011


Author: ianh
Date: 2011-03-28 16:58:04 -0700 (Mon, 28 Mar 2011)
New Revision: 5967

Modified:
   complete.html
   index
   source
Log:
[giow] (0) Make the PeerConnection UDP data media stream feature prevent replay attacks, and add integrity checks. Also, make some of the mentions of HMAC-SHA1 make sense.

Modified: complete.html
===================================================================
--- complete.html	2011-03-25 22:21:47 UTC (rev 5966)
+++ complete.html	2011-03-28 23:58:04 UTC (rev 5967)
@@ -239,7 +239,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1>Web Applications 1.0</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 25 March 2011</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 28 March 2011</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -73236,8 +73236,8 @@
   <p>All <code><a href=#peerconnection>PeerConnection</a></code> connections include a <dfn id=data-udp-media-stream>data
   UDP media stream</dfn>, which is used to send data packets
   peer-to-peer, for instance game control packets. This data channel
-  is unreliable (packets are not guaranteed to be delivered, and are
-  not guaranteed to be delivered in the right order).</p>
+  is unreliable (packets are not guaranteed to be delivered), and
+  packets received out of order are discarded.</p>
 
   <p>SDP media descriptions for <a href=#data-udp-media-stream title="data UDP media
   stream">data UDP media streams</a> must use the "<code title="">application</code>" media type, the "<code title="">udp</code>" transport protocol, and the
@@ -73261,6 +73261,11 @@
   and must maintain that UDP media stream for the ICE Agents' whole
   lifetime.</p>
 
+  <p>Each <a href=#peerconnection-data-udp-media-stream><code>PeerConnection</code> data UDP media
+  stream</a> has a <dfn id=sending-sequence-number>sending sequence number</dfn>, which must
+  initially be set to one (1), and a <dfn id=most-recently-received-sequence-number>most recently received
+  sequence number</dfn>, much must initially be zero (0).
+
   <p>A <a href=#data-udp-media-stream>data UDP media stream</a> is an <dfn id=active-data-udp-media-stream>active data UDP
   media stream</dfn> if the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
   Agent</a> has selected a destination for it. A <a href=#data-udp-media-stream>data UDP
@@ -73272,16 +73277,25 @@
   <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
   masked so as to prevent cross-protocol attacks (<a href=#data-udp-media-stream>data UDP media
   stream</a> always appear to contain random noise to other
-  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-salt>data UDP media
-  stream salt</dfn> is defined to be the following 16 bytes, described
-  here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF 7A 3A 1A
-  57 75 02</p>
+  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-masking-salt>data UDP media
+  stream masking salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF
+  7A 3A 1A 57 75 02</p>
   <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
 
+  <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
+  also hashed so as to prevent forgery attacks (an attacker cannot
+  change the data without knowing the key negotiated via the signaling
+  channel). For the purposes of this hashing, the <dfn id=data-udp-media-stream-hashing-salt>data UDP media
+  stream hashing salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: 4E 2F 96 AB 0A 39 92 A2 56 94
+  91 F5 7E 58 2E FA</p>
+  <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
+
   <p>When the user agent is to <dfn id=transmit-a-data-packet-to-a-peer>transmit a data packet to a
   peer</dfn> using a <a href=#data-udp-media-stream>data UDP media stream</a> and with a
-  byte string payload <var title="">raw message</var>, the user agent must
-  run the following steps:</p>
+  byte string payload <var title="">raw message</var>, the user agent
+  must run the following steps:</p>
 
   <ol><li><p>Let <var title="">nonce</var> be 16 cryptographically random
    bytes.</li>
@@ -73290,23 +73304,42 @@
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in its
    media description, as defined above.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">sending sequence number</var> be the
+   current <a href=#sending-sequence-number>sending sequence number</a>.</li>
 
+   <li><p>Increment the <a href=#sending-sequence-number>sending sequence number</a> by one
+   (1).</li>
+
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
    <li><p>Let <var title="">typed raw message</var> be the
-   concatenation of three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
+   concatenation of the <var title="">sequence number</var> as a
+   big-endian 64 bit integer, three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be the result of
    encrypting <var title="">typed raw message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
    <li><p>Let <var title="">masked message with nonce</var> be the
    concatenation of <var title="">nonce</var> and <var title="">masked
    message</var>.</li>
 
-   <li><p>Send <var title="">masked message with nonce</var> in a UDP
-   packet to the destination that the relevant
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of the
+   HMAC-SHA1 of <var title="">masked message with nonce</var> keyed
+   with the 16 <var title="">hash-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hashed masked message with nonce</var> be the
+   concatenation of <var title="">hash</var> and <var title="">masked message with nonce</var>.</li>
+
+   <li><p>Send <var title="">hashed masked message with nonce</var> in
+   a UDP packet to the destination that the relevant
    <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a> has selected a
    destination for the <a href=#data-udp-media-stream>data UDP media stream</a>.</li>
 
@@ -73314,36 +73347,64 @@
   stream</a> is received, the user agent must run the following
   steps:</p>
 
-  <ol><li><p>Let <var title="">masked message with nonce</var> be the UDP
+  <ol><li><p>Let <var title="">hashed masked message with nonce</var> be the UDP
    packet's data.</li>
 
-   <li><p>If <var title="">masked message with nonce</var> is shorter than 20
-   bytes, then abort these steps.</li>
+   <li><p>If <var title="">hashed masked message with nonce</var> is
+   shorter than 32 bytes, then abort these steps.</li>
 
    <li><p>Let <var title="">ice-key</var> be the 16 bytes given as the
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in the
    media description for this media stream. <a href=#refsSDP>[SDP]</a></li>
 
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of
+   the <var title="">hashed masked message with nonce</var>.</li>
+
+   <li><p>Let <var title="">masked message with nonce</var> be all but
+   the first 16 bytes of <var title="">hashed masked message with
+   nonce</var>.</li>
+
+   <li><p>If <var title="">hash</var> does not equal the first 16
+   bytes of the HMAC-SHA1 of <var title="">masked message with
+   nonce</var> keyed with the 16 <var title="">hash-key</var> bytes,
+   abort these steps. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
    <li><p>Let <var title="">nonce</var> be the first 16 bytes of the
    <var title="">masked message with nonce</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be all but the first
    16 bytes of <var title="">masked message with nonce</var>.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
 
    <li><p>Let <var title="">typed raw message</var> be the result of
    decrypting <var title="">masked message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
-   <li><p>If the four bytes of <var title="">typed raw message</var>
-   are not 0x00, 0x00, 0x00, and 0x01 respectively, then abort these
-   steps.</li>
+   <li><p>Let <var title="">sequence number</var> be the result of
+   interpreting the first eight bytes of <var title="">typed raw
+   message</var> as a 64 bit big-endian integer.</li>
 
+   <li><p>If <var title="">sequence number</var> is less than the
+   <a href=#most-recently-received-sequence-number>most recently received sequence number</a> then abort
+   these steps.</li>
+
+   <li><p>Let the <a href=#most-recently-received-sequence-number>most recently received sequence number</a>
+   be <var title="">sequence number</var>.</li>
+
+   <li><p>If the ninth, tenth, eleventh, and twelfth bytes of <var title="">typed raw message</var> are not 0x00, 0x00, 0x00, and 0x01
+   respectively, then abort these steps.</li>
+
    <li><p>Let <var title="">raw message</var> be the byte string
-   consisting of all but the first four characters of <var title="">typed raw message</var>.</li>
+   consisting of all but the first twelve bytes of <var title="">typed
+   raw message</var>.</li>
 
    <li><p>Let <var title="">message</var> be <var title="">raw
    message</var> <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error
@@ -73357,7 +73418,12 @@
    responsible for this side of the <a href=#data-udp-media-stream>data UDP media
    stream</a>.</li>
 
-  </ol><p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
+  </ol><p class=note>Though described above as being computed for each
+  packet, the <var title="">ice-key</var>, <var title="">hash-key</var>, and <var title="">mask-key</var> values can
+  be precomputed as soon as the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
+  Agent</a> is started.</p>
+
+  <p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
   first "sendrecv" media stream in the initial offer whose media is
   "<code title="">application</code>", whose transport protocol is
   "<code title="">udp</code>", whose media format description is

Modified: index
===================================================================
--- index	2011-03-25 22:21:47 UTC (rev 5966)
+++ index	2011-03-28 23:58:04 UTC (rev 5967)
@@ -243,7 +243,7 @@
 
   <header class=head id=head><p><a class=logo href=http://www.whatwg.org/ rel=home><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
    <hgroup><h1 class=allcaps>HTML</h1>
-    <h2 class="no-num no-toc">Living Standard — Last Updated 25 March 2011</h2>
+    <h2 class="no-num no-toc">Living Standard — Last Updated 28 March 2011</h2>
    </hgroup><p>You can take part in this work. <a href=http://www.whatwg.org/mailing-list>Join the working group's discussion list.</a></p>
    <p><strong>Web designers!</strong> We have a <a href=http://blog.whatwg.org/faq/>FAQ</a>, a <a href=http://forums.whatwg.org/>forum</a>, and a <a href=http://www.whatwg.org/mailing-list#help>help mailing list</a> for you!</p>
    <!--<p class="impl"><strong>Implementors!</strong> We have a <a href="http://www.whatwg.org/mailing-list#implementors">mailing list</a> for you too!</p>-->
@@ -73242,8 +73242,8 @@
   <p>All <code><a href=#peerconnection>PeerConnection</a></code> connections include a <dfn id=data-udp-media-stream>data
   UDP media stream</dfn>, which is used to send data packets
   peer-to-peer, for instance game control packets. This data channel
-  is unreliable (packets are not guaranteed to be delivered, and are
-  not guaranteed to be delivered in the right order).</p>
+  is unreliable (packets are not guaranteed to be delivered), and
+  packets received out of order are discarded.</p>
 
   <p>SDP media descriptions for <a href=#data-udp-media-stream title="data UDP media
   stream">data UDP media streams</a> must use the "<code title="">application</code>" media type, the "<code title="">udp</code>" transport protocol, and the
@@ -73267,6 +73267,11 @@
   and must maintain that UDP media stream for the ICE Agents' whole
   lifetime.</p>
 
+  <p>Each <a href=#peerconnection-data-udp-media-stream><code>PeerConnection</code> data UDP media
+  stream</a> has a <dfn id=sending-sequence-number>sending sequence number</dfn>, which must
+  initially be set to one (1), and a <dfn id=most-recently-received-sequence-number>most recently received
+  sequence number</dfn>, much must initially be zero (0).
+
   <p>A <a href=#data-udp-media-stream>data UDP media stream</a> is an <dfn id=active-data-udp-media-stream>active data UDP
   media stream</dfn> if the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
   Agent</a> has selected a destination for it. A <a href=#data-udp-media-stream>data UDP
@@ -73278,16 +73283,25 @@
   <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
   masked so as to prevent cross-protocol attacks (<a href=#data-udp-media-stream>data UDP media
   stream</a> always appear to contain random noise to other
-  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-salt>data UDP media
-  stream salt</dfn> is defined to be the following 16 bytes, described
-  here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF 7A 3A 1A
-  57 75 02</p>
+  protocols). For the purposes of masking, the <dfn id=data-udp-media-stream-masking-salt>data UDP media
+  stream masking salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF
+  7A 3A 1A 57 75 02</p>
   <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
 
+  <p>Bytes transmitted on a <a href=#data-udp-media-stream>data UDP media stream</a> are
+  also hashed so as to prevent forgery attacks (an attacker cannot
+  change the data without knowing the key negotiated via the signaling
+  channel). For the purposes of this hashing, the <dfn id=data-udp-media-stream-hashing-salt>data UDP media
+  stream hashing salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: 4E 2F 96 AB 0A 39 92 A2 56 94
+  91 F5 7E 58 2E FA</p>
+  <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
+
   <p>When the user agent is to <dfn id=transmit-a-data-packet-to-a-peer>transmit a data packet to a
   peer</dfn> using a <a href=#data-udp-media-stream>data UDP media stream</a> and with a
-  byte string payload <var title="">raw message</var>, the user agent must
-  run the following steps:</p>
+  byte string payload <var title="">raw message</var>, the user agent
+  must run the following steps:</p>
 
   <ol><li><p>Let <var title="">nonce</var> be 16 cryptographically random
    bytes.</li>
@@ -73296,23 +73310,42 @@
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in its
    media description, as defined above.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">sending sequence number</var> be the
+   current <a href=#sending-sequence-number>sending sequence number</a>.</li>
 
+   <li><p>Increment the <a href=#sending-sequence-number>sending sequence number</a> by one
+   (1).</li>
+
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
    <li><p>Let <var title="">typed raw message</var> be the
-   concatenation of three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
+   concatenation of the <var title="">sequence number</var> as a
+   big-endian 64 bit integer, three 0x00 bytes, a 0x01 byte, and <var title="">raw message</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be the result of
    encrypting <var title="">typed raw message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
    <li><p>Let <var title="">masked message with nonce</var> be the
    concatenation of <var title="">nonce</var> and <var title="">masked
    message</var>.</li>
 
-   <li><p>Send <var title="">masked message with nonce</var> in a UDP
-   packet to the destination that the relevant
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of the
+   HMAC-SHA1 of <var title="">masked message with nonce</var> keyed
+   with the 16 <var title="">hash-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hashed masked message with nonce</var> be the
+   concatenation of <var title="">hash</var> and <var title="">masked message with nonce</var>.</li>
+
+   <li><p>Send <var title="">hashed masked message with nonce</var> in
+   a UDP packet to the destination that the relevant
    <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE Agent</a> has selected a
    destination for the <a href=#data-udp-media-stream>data UDP media stream</a>.</li>
 
@@ -73320,36 +73353,64 @@
   stream</a> is received, the user agent must run the following
   steps:</p>
 
-  <ol><li><p>Let <var title="">masked message with nonce</var> be the UDP
+  <ol><li><p>Let <var title="">hashed masked message with nonce</var> be the UDP
    packet's data.</li>
 
-   <li><p>If <var title="">masked message with nonce</var> is shorter than 20
-   bytes, then abort these steps.</li>
+   <li><p>If <var title="">hashed masked message with nonce</var> is
+   shorter than 32 bytes, then abort these steps.</li>
 
    <li><p>Let <var title="">ice-key</var> be the 16 bytes given as the
    encryption key for the <a href=#data-udp-media-stream>data UDP media stream</a> in the
    media description for this media stream. <a href=#refsSDP>[SDP]</a></li>
 
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-hashing-salt>data UDP media stream hashing
+   salt</a> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of
+   the <var title="">hashed masked message with nonce</var>.</li>
+
+   <li><p>Let <var title="">masked message with nonce</var> be all but
+   the first 16 bytes of <var title="">hashed masked message with
+   nonce</var>.</li>
+
+   <li><p>If <var title="">hash</var> does not equal the first 16
+   bytes of the HMAC-SHA1 of <var title="">masked message with
+   nonce</var> keyed with the 16 <var title="">hash-key</var> bytes,
+   abort these steps. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+
    <li><p>Let <var title="">nonce</var> be the first 16 bytes of the
    <var title="">masked message with nonce</var>.</li>
 
    <li><p>Let <var title="">masked message</var> be all but the first
    16 bytes of <var title="">masked message with nonce</var>.</li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var title="">nonce</var> bytes, the 16 <a href=#data-udp-media-stream-salt>data UDP media stream
-   salt</a> bytes, and the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <a href=#data-udp-media-stream-masking-salt>data UDP media stream masking salt</a>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a href=#refsHMAC>[HMAC]</a> <a href=#refsSHA1>[SHA1]</a></li>
 
    <li><p>Let <var title="">typed raw message</var> be the result of
    decrypting <var title="">masked message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a href=#refsAES128CTR>[AES128CTR]</a></li>
+   keyed with <var title="">mask-key</var> and using the 16 <var title="">nonce</var> bytes as the initial counter value. <a href=#refsAES128CTR>[AES128CTR]</a></li>
 
-   <li><p>If the four bytes of <var title="">typed raw message</var>
-   are not 0x00, 0x00, 0x00, and 0x01 respectively, then abort these
-   steps.</li>
+   <li><p>Let <var title="">sequence number</var> be the result of
+   interpreting the first eight bytes of <var title="">typed raw
+   message</var> as a 64 bit big-endian integer.</li>
 
+   <li><p>If <var title="">sequence number</var> is less than the
+   <a href=#most-recently-received-sequence-number>most recently received sequence number</a> then abort
+   these steps.</li>
+
+   <li><p>Let the <a href=#most-recently-received-sequence-number>most recently received sequence number</a>
+   be <var title="">sequence number</var>.</li>
+
+   <li><p>If the ninth, tenth, eleventh, and twelfth bytes of <var title="">typed raw message</var> are not 0x00, 0x00, 0x00, and 0x01
+   respectively, then abort these steps.</li>
+
    <li><p>Let <var title="">raw message</var> be the byte string
-   consisting of all but the first four characters of <var title="">typed raw message</var>.</li>
+   consisting of all but the first twelve bytes of <var title="">typed
+   raw message</var>.</li>
 
    <li><p>Let <var title="">message</var> be <var title="">raw
    message</var> <a href=#decoded-as-utf-8,-with-error-handling>decoded as UTF-8, with error
@@ -73363,7 +73424,12 @@
    responsible for this side of the <a href=#data-udp-media-stream>data UDP media
    stream</a>.</li>
 
-  </ol><p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
+  </ol><p class=note>Though described above as being computed for each
+  packet, the <var title="">ice-key</var>, <var title="">hash-key</var>, and <var title="">mask-key</var> values can
+  be precomputed as soon as the <a href=#peerconnection-ice-agent><code>PeerConnection</code> ICE
+  Agent</a> is started.</p>
+
+  <p>A <dfn id=remotely-initiated-data-udp-media-stream>remotely-initiated data UDP media stream</dfn> is the
   first "sendrecv" media stream in the initial offer whose media is
   "<code title="">application</code>", whose transport protocol is
   "<code title="">udp</code>", whose media format description is

Modified: source
===================================================================
--- source	2011-03-25 22:21:47 UTC (rev 5966)
+++ source	2011-03-28 23:58:04 UTC (rev 5967)
@@ -83531,8 +83531,8 @@
   <p>All <code>PeerConnection</code> connections include a <dfn>data
   UDP media stream</dfn>, which is used to send data packets
   peer-to-peer, for instance game control packets. This data channel
-  is unreliable (packets are not guaranteed to be delivered, and are
-  not guaranteed to be delivered in the right order).</p>
+  is unreliable (packets are not guaranteed to be delivered), and
+  packets received out of order are discarded.</p>
 
   <p>SDP media descriptions for <span title="data UDP media
   stream">data UDP media streams</span> must use the "<code
@@ -83560,6 +83560,11 @@
   and must maintain that UDP media stream for the ICE Agents' whole
   lifetime.</p>
 
+  <p>Each <span><code>PeerConnection</code> data UDP media
+  stream</span> has a <dfn>sending sequence number</dfn>, which must
+  initially be set to one (1), and a <dfn>most recently received
+  sequence number</dfn>, much must initially be zero (0).
+
   <p>A <span>data UDP media stream</span> is an <dfn>active data UDP
   media stream</dfn> if the <span><code>PeerConnection</code> ICE
   Agent</span> has selected a destination for it. A <span>data UDP
@@ -83572,15 +83577,24 @@
   masked so as to prevent cross-protocol attacks (<span>data UDP media
   stream</span> always appear to contain random noise to other
   protocols). For the purposes of masking, the <dfn>data UDP media
-  stream salt</dfn> is defined to be the following 16 bytes, described
-  here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF 7A 3A 1A
-  57 75 02</p>
+  stream masking salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: DB 68 B5 FD 17 0E 15 77 56 AF
+  7A 3A 1A 57 75 02</p>
   <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
 
+  <p>Bytes transmitted on a <span>data UDP media stream</span> are
+  also hashed so as to prevent forgery attacks (an attacker cannot
+  change the data without knowing the key negotiated via the signaling
+  channel). For the purposes of this hashing, the <dfn>data UDP media
+  stream hashing salt</dfn> is defined to be the following 16 bytes,
+  described here as hexadecimal numbers: 4E 2F 96 AB 0A 39 92 A2 56 94
+  91 F5 7E 58 2E FA</p>
+  <!-- obtained thusly: head -c 16 /dev/urandom | hexdump -C -->
+
   <p>When the user agent is to <dfn>transmit a data packet to a
   peer</dfn> using a <span>data UDP media stream</span> and with a
-  byte string payload <var title="">raw message</var>, the user agent must
-  run the following steps:</p>
+  byte string payload <var title="">raw message</var>, the user agent
+  must run the following steps:</p>
 
   <ol>
 
@@ -83591,27 +83605,49 @@
    encryption key for the <span>data UDP media stream</span> in its
    media description, as defined above.</p></li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var
-   title="">nonce</var> bytes, the 16 <span>data UDP media stream
-   salt</span> bytes, and the 16 <var title="">ice-key</var> bytes. <a
+   <li><p>Let <var title="">sending sequence number</var> be the
+   current <span>sending sequence number</span>.</p></li>
+
+   <li><p>Increment the <span>sending sequence number</span> by one
+   (1).</p></li>
+
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <span>data UDP media stream masking salt</span>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a
    href="#refsHMAC">[HMAC]</a> <a href="#refsSHA1">[SHA1]</a></p></li>
 
    <li><p>Let <var title="">typed raw message</var> be the
-   concatenation of three 0x00 bytes, a 0x01 byte, and <var
+   concatenation of the <var title="">sequence number</var> as a
+   big-endian 64 bit integer, three 0x00 bytes, a 0x01 byte, and <var
    title="">raw message</var>.</p></li>
 
    <li><p>Let <var title="">masked message</var> be the result of
    encrypting <var title="">typed raw message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a
+   keyed with <var title="">mask-key</var> and using the 16 <var
+   title="">nonce</var> bytes as the initial counter value. <a
    href="#refsAES128CTR">[AES128CTR]</a></p></li>
 
    <li><p>Let <var title="">masked message with nonce</var> be the
    concatenation of <var title="">nonce</var> and <var title="">masked
    message</var>.</p></li>
 
-   <li><p>Send <var title="">masked message with nonce</var> in a UDP
-   packet to the destination that the relevant
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <span>data UDP media stream hashing
+   salt</span> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href="#refsHMAC">[HMAC]</a> <a
+   href="#refsSHA1">[SHA1]</a></p></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of the
+   HMAC-SHA1 of <var title="">masked message with nonce</var> keyed
+   with the 16 <var title="">hash-key</var> bytes. <a
+   href="#refsHMAC">[HMAC]</a> <a href="#refsSHA1">[SHA1]</a></p></li>
+
+   <li><p>Let <var title="">hashed masked message with nonce</var> be the
+   concatenation of <var title="">hash</var> and <var
+   title="">masked message with nonce</var>.</p></li>
+
+   <li><p>Send <var title="">hashed masked message with nonce</var> in
+   a UDP packet to the destination that the relevant
    <span><code>PeerConnection</code> ICE Agent</span> has selected a
    destination for the <span>data UDP media stream</span>.</p></li>
 
@@ -83623,41 +83659,71 @@
 
   <ol>
 
-   <li><p>Let <var title="">masked message with nonce</var> be the UDP
+   <li><p>Let <var title="">hashed masked message with nonce</var> be the UDP
    packet's data.</p></li>
 
-   <li><p>If <var title="">masked message with nonce</var> is shorter than 20
-   bytes, then abort these steps.</p></li>
+   <li><p>If <var title="">hashed masked message with nonce</var> is
+   shorter than 32 bytes, then abort these steps.</p></li>
 
    <li><p>Let <var title="">ice-key</var> be the 16 bytes given as the
    encryption key for the <span>data UDP media stream</span> in the
    media description for this media stream. <a
    href="#refsSDP">[SDP]</a></p></li>
 
+   <li><p>Let <var title="">hash-key</var> be the first 16 bytes of
+   the HMAC-SHA1 of the 16 <span>data UDP media stream hashing
+   salt</span> bytes keyed with the 16 <var title="">ice-key</var>
+   bytes. <a href="#refsHMAC">[HMAC]</a> <a
+   href="#refsSHA1">[SHA1]</a></p></li>
+
+   <li><p>Let <var title="">hash</var> be the first 16 bytes of
+   the <var title="">hashed masked message with nonce</var>.</p></li>
+
+   <li><p>Let <var title="">masked message with nonce</var> be all but
+   the first 16 bytes of <var title="">hashed masked message with
+   nonce</var>.</p></li>
+
+   <li><p>If <var title="">hash</var> does not equal the first 16
+   bytes of the HMAC-SHA1 of <var title="">masked message with
+   nonce</var> keyed with the 16 <var title="">hash-key</var> bytes,
+   abort these steps. <a href="#refsHMAC">[HMAC]</a> <a
+   href="#refsSHA1">[SHA1]</a></p></li>
+
    <li><p>Let <var title="">nonce</var> be the first 16 bytes of the
    <var title="">masked message with nonce</var>.</p></li>
 
    <li><p>Let <var title="">masked message</var> be all but the first
    16 bytes of <var title="">masked message with nonce</var>.</p></li>
 
-   <li><p>Let <var title="">key</var> be the first 16 bytes of
-   the HMAC-SHA1 of the concatenation of the 16 <var
-   title="">nonce</var> bytes, the 16 <span>data UDP media stream
-   salt</span> bytes, and the 16 <var title="">ice-key</var> bytes. <a
+   <li><p>Let <var title="">mask-key</var> be the first 16 bytes of the
+   HMAC-SHA1 of the 16 <span>data UDP media stream masking salt</span>
+   bytes keyed with the 16 <var title="">ice-key</var> bytes. <a
    href="#refsHMAC">[HMAC]</a> <a href="#refsSHA1">[SHA1]</a></p></li>
 
    <li><p>Let <var title="">typed raw message</var> be the result of
    decrypting <var title="">masked message</var> using AES-128-CTR
-   keyed with <var title="">key</var>. <a
+   keyed with <var title="">mask-key</var> and using the 16 <var
+   title="">nonce</var> bytes as the initial counter value. <a
    href="#refsAES128CTR">[AES128CTR]</a></p></li>
 
-   <li><p>If the four bytes of <var title="">typed raw message</var>
-   are not 0x00, 0x00, 0x00, and 0x01 respectively, then abort these
-   steps.</p></li>
+   <li><p>Let <var title="">sequence number</var> be the result of
+   interpreting the first eight bytes of <var title="">typed raw
+   message</var> as a 64 bit big-endian integer.</p></li>
 
+   <li><p>If <var title="">sequence number</var> is less than the
+   <span>most recently received sequence number</span> then abort
+   these steps.</p></li>
+
+   <li><p>Let the <span>most recently received sequence number</span>
+   be <var title="">sequence number</var>.</p></li>
+
+   <li><p>If the ninth, tenth, eleventh, and twelfth bytes of <var
+   title="">typed raw message</var> are not 0x00, 0x00, 0x00, and 0x01
+   respectively, then abort these steps.</p></li>
+
    <li><p>Let <var title="">raw message</var> be the byte string
-   consisting of all but the first four characters of <var
-   title="">typed raw message</var>.</p></li>
+   consisting of all but the first twelve bytes of <var title="">typed
+   raw message</var>.</p></li>
 
    <li><p>Let <var title="">message</var> be <var title="">raw
    message</var> <span>decoded as UTF-8, with error
@@ -83675,6 +83741,12 @@
 
   </ol>
 
+  <p class="note">Though described above as being computed for each
+  packet, the <var title="">ice-key</var>, <var
+  title="">hash-key</var>, and <var title="">mask-key</var> values can
+  be precomputed as soon as the <span><code>PeerConnection</code> ICE
+  Agent</span> is started.</p>
+
   <p>A <dfn>remotely-initiated data UDP media stream</dfn> is the
   first "sendrecv" media stream in the initial offer whose media is
   "<code title="">application</code>", whose transport protocol is




More information about the Commit-Watchers mailing list