<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.10 (Ruby 2.6.10) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-westerlund-avtcore-srtp-gcm-sst-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="GCM-SST for SRTP">GCM-SST Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)</title>

    <author initials="M." surname="Westerlund" fullname="Magnus Westerlund">
      <organization>Ericsson</organization>
      <address>
        <email>magnus.westerlund@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="06"/>

    <area>ART</area>
    <workgroup>Audio/Video Transport Core Maintenance</workgroup>
    <keyword>Cipher Suite</keyword> <keyword>GCM-SST</keyword> <keyword>SRTP</keyword>

    <abstract>


<t>This document defines how the GCM-SST (Galois Counter Mode with Strong Secure Tags) Authenticated Encryption with Associated Data (AEAD) algorithm family can be used to provide confidentiality and data authentication in the Secure Real-time Transport Protocol (SRTP). GCM-SST addresses known weaknesses in AES-GCM for short authentication tags, making it well suited for media encryption use cases where low overhead is critical.</t>



    </abstract>

    <note title="About This Document" removeInRFC="true">
      <t>
        The latest revision of this draft can be found at <eref target="https://gloinul.github.io/draft-westerlund-avtcore-srtp-gcm-sst/draft-westerlund-avtcore-srtp-gcm-sst.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-westerlund-avtcore-srtp-gcm-sst/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Audio/Video Transport Core Maintenance (AVTCORE) Working Group mailing list (<eref target="mailto:avt@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/avt/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/gloinul/draft-westerlund-avtcore-srtp-gcm-sst"/>.</t>
    </note>


  </front>

  <middle>


<section anchor="introduction"><name>Introduction</name>

<t>The Secure Real-time Transport Protocol (SRTP) <xref target="RFC3711"/> is a profile of the Real-time Transport Protocol (RTP) <xref target="RFC3550"/>, which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP).</t>

<t>Authenticated Encryption with Associated Data (AEAD) <xref target="RFC5116"/> provides both confidentiality and integrity in a single cryptographic operation. This specification makes use of the GCM-SST (Galois Counter Mode with Strong Secure Tags) AEAD algorithm family defined in <xref target="I-D.mattsson-cfrg-aes-gcm-sst"/>.</t>

<t>AES-GCM is widely used but has known weaknesses when used with short authentication tags. The forgery probability for AES-GCM is significantly worse than ideal, and a successful forgery reveals the authentication subkey H, enabling an attacker to forge all subsequent messages. GCM-SST addresses these weaknesses by introducing an additional subkey H2 and deriving fresh subkeys H and H2 for each nonce, resulting in near-ideal forgery probabilities even for short tags and even after multiple forgery attempts.</t>

<t>Short authentication tags are common in media encryption. 32-bit tags are standard in most radio link layers, 64-bit tags are common in IoT transport and application layers, and 32-, 64-, and 80-bit tags are common in media encryption applications. Audio packets are small, numerous, and ephemeral, making them highly sensitive to cryptographic overhead. GCM-SST enables the use of short tags with strong security guarantees, avoiding the need to either use larger-than-necessary tags or fall back to slower constructions such as AES-CTR combined with HMAC.</t>

<t>This document defines how to use the AES-128-GCM-SST, AES-256-GCM-SST, and Rijndael-GCM-SST AEAD algorithms in SRTP and SRTCP, with authentication tag lengths of 48, 96, and 112 bits. The following cipher suites are defined:</t>

<figure><artwork><![CDATA[
  AEAD_AES_128_GCM_SST_6       AES-128 with a 6-octet (48-bit) tag
  AEAD_AES_128_GCM_SST_12      AES-128 with a 12-octet (96-bit) tag
  AEAD_AES_128_GCM_SST_14      AES-128 with a 14-octet (112-bit) tag
  AEAD_AES_256_GCM_SST_6       AES-256 with a 6-octet (48-bit) tag
  AEAD_AES_256_GCM_SST_12      AES-256 with a 12-octet (96-bit) tag
  AEAD_AES_256_GCM_SST_14      AES-256 with a 14-octet (112-bit) tag
  AEAD_RIJNDAEL_GCM_SST_6      Rijndael-256 with a 6-octet (48-bit) tag
  AEAD_RIJNDAEL_GCM_SST_12     Rijndael-256 with a 12-octet (96-bit) tag
  AEAD_RIJNDAEL_GCM_SST_14     Rijndael-256 with a 14-octet (112-bit) tag
]]></artwork></figure>

<t>When using cipher suites with 48-bit (6-octet) tags for SRTP, SRTCP uses 96-bit (12-octet) tags. This provides adequate security for the less frequent SRTCP packets while minimizing overhead for the more numerous SRTP packets.</t>

<t>The Rijndael-GCM-SST cipher suites use Rijndael-256 (256-bit key, 256-bit block) in counter mode as the keystream generator. Rijndael-256 uses a 28-octet (224-bit) nonce, which requires a different IV formation than the AES-based cipher suites (see <xref target="rijndael-srtp-iv"/> and <xref target="rijndael-srtcp-iv"/>).</t>

</section>
<section anchor="conventions-and-definitions"><name>Conventions and Definitions</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<t>The following terms have specific meanings in this document:</t>

<dl>
  <dt>Instantiation:</dt>
  <dd>
    <t>In AEAD, an instantiation is an (Encryption_key, salt) pair together with all data structures needed for it to function properly. In SRTP/SRTCP, each endpoint needs two instantiations of the AEAD algorithm for each master key: one for SRTP traffic and one for SRTCP traffic.</t>
  </dd>
  <dt>Invocation:</dt>
  <dd>
    <t>SRTP/SRTCP data streams are broken into packets. Each packet is processed by a single invocation of the appropriate instantiation of the AEAD algorithm.</t>
  </dd>
  <dt>Associated Data:</dt>
  <dd>
    <t>Data that is authenticated but not encrypted.</t>
  </dd>
  <dt>Plaintext:</dt>
  <dd>
    <t>Data that is both encrypted and authenticated.</t>
  </dd>
  <dt>Ciphertext:</dt>
  <dd>
    <t>The output of the AEAD encryption function, consisting of the encrypted Plaintext followed by the authentication tag.</t>
  </dd>
  <dt>Raw Data:</dt>
  <dd>
    <t>Data that is neither encrypted nor authenticated.</t>
  </dd>
</dl>

</section>
<section anchor="overview-of-the-srtpsrtcp-aead-security-architecture"><name>Overview of the SRTP/SRTCP AEAD Security Architecture</name>

<t>SRTP/SRTCP AEAD security is based upon the following principles:</t>

<t>a. Both privacy and authentication are based upon the use of symmetric algorithms. An AEAD algorithm such as GCM-SST combines privacy and authentication into a single process.</t>

<t>b. A secret master key is shared by all participating endpoints. Any given master key <bcp14>MAY</bcp14> be used simultaneously by several endpoints to originate SRTP/SRTCP packets.</t>

<t>c. A Key Derivation Function (KDF) is applied to the shared master key to form separate encryption keys and salting keys for SRTP and SRTCP. Since AEAD algorithms combine encryption and authentication into a single process, AEAD algorithms do not make use of separate authentication keys.</t>

<t>d. The details of how the master key is established and shared between participants are outside the scope of this document. Any mechanism for rekeying an existing session is also outside the scope of this document.</t>

<t>e. Each time GCM-SST is invoked to encrypt and authenticate an SRTP or SRTCP packet, a new Initialization Vector (IV) is used. For AES-based cipher suites, SRTP combines the 4-octet Synchronization Source (SSRC) identifier, the 4-octet Rollover Counter (ROC), and the 2-octet Sequence Number (SEQ) with the 12-octet encryption salt to form a 12-octet IV (see <xref target="srtp-iv"/>). SRTCP combines the SSRC and 31-bit SRTCP index with the encryption salt to form a 12-octet IV (see <xref target="srtcp-iv"/>). For Rijndael-GCM-SST cipher suites, the same packet fields are combined with a 28-octet encryption salt to form a 28-octet IV (see <xref target="rijndael-srtp-iv"/> and <xref target="rijndael-srtcp-iv"/>).</t>

</section>
<section anchor="generic-aead-processing"><name>Generic AEAD Processing</name>

<section anchor="aead-invocation-inputs-and-outputs"><name>AEAD Invocation Inputs and Outputs</name>

<section anchor="encrypt-mode"><name>Encrypt Mode</name>

<figure><artwork><![CDATA[
  Inputs:
    Encryption_key         Octet string, 16 or 32 octets
    Initialization_Vector  Octet string, 12 or 28 octets
    Associated_Data        Octet string of variable length
    Plaintext              Octet string of variable length

  Outputs:
    Ciphertext             Octet string, length =
                             length(Plaintext) + tag_length
]]></artwork></figure>

<t>The ciphertext consists of the encrypted Plaintext followed by the authentication tag.</t>

</section>
<section anchor="decrypt-mode"><name>Decrypt Mode</name>

<figure><artwork><![CDATA[
  Inputs:
    Encryption_key         Octet string, 16 or 32 octets
    Initialization_Vector  Octet string, 12 or 28 octets
    Associated_Data        Octet string of variable length
    Ciphertext             Octet string of variable length

  Outputs:
    Plaintext              Octet string, length = length(Ciphertext) - tag_length
    Validity_Flag          Boolean, TRUE if valid, FALSE otherwise
]]></artwork></figure>

</section>
</section>
<section anchor="handling-of-aead-authentication"><name>Handling of AEAD Authentication</name>

<t>All incoming packets <bcp14>MUST</bcp14> pass AEAD authentication before any other action takes place. Plaintext and Associated Data <bcp14>MUST NOT</bcp14> be released until the AEAD authentication tag has been validated. Should the AEAD authentication tag prove to be invalid, the packet <bcp14>MUST</bcp14> be discarded.</t>

</section>
</section>
<section anchor="gcm-sst-processing-for-srtp"><name>GCM-SST Processing for SRTP</name>

<section anchor="srtp-iv"><name>SRTP IV Formation for GCM-SST</name>

<figure title="GCM-SST SRTP Initialization Vector Formation (AES)" anchor="fig-srtp-iv"><artwork><![CDATA[
              0  0  0  0  0  0  0  0  0  0  1  1
              0  1  2  3  4  5  6  7  8  9  0  1
            +--+--+--+--+--+--+--+--+--+--+--+--+
            |00|00|    SSRC   |     ROC   | SEQ |---+
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
            |         Encryption Salt           |->(+)
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
            |       Initialization Vector       |<--+
            +--+--+--+--+--+--+--+--+--+--+--+--+
]]></artwork></figure>

<t>The 12-octet IV used by AES-GCM-SST SRTP is formed by first concatenating 2 octets of zeroes, the 4-octet SSRC, the 4-octet rollover counter (ROC), and the 2-octet sequence number (SEQ). The resulting 12-octet value is then XORed with the 12-octet salt to form the IV.</t>

</section>
<section anchor="rijndael-srtp-iv"><name>SRTP IV Formation for Rijndael-GCM-SST</name>

<figure title="Rijndael-GCM-SST SRTP Initialization Vector Formation" anchor="fig-rijndael-srtp-iv"><artwork><![CDATA[
  0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         0 (18 octets)             |  SSRC | ROC   |SEQ|---+
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
                                                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
 |             Encryption Salt (28 octets)               |->(+)
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
                                                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
 |          Initialization Vector (28 octets)            |<--+
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The 28-octet IV used by Rijndael-GCM-SST SRTP is formed by first concatenating 18 octets of zeroes, the 4-octet SSRC, the 4-octet rollover counter (ROC), and the 2-octet sequence number (SEQ). The resulting 28-octet value is then XORed with the 28-octet salt to form the IV. The larger salt provides significantly greater security against precomputation and multi-key attacks compared to the AES-based cipher suites.</t>

</section>
<section anchor="data-types-in-srtp-packets"><name>Data Types in SRTP Packets</name>

<t>All SRTP packets <bcp14>MUST</bcp14> be both authenticated and encrypted. The data fields within RTP packets are broken into Associated Data, Plaintext, and Raw Data as follows:</t>

<dl>
  <dt>Associated Data:</dt>
  <dd>
    <t>The RTP header fields: version V (2 bits), padding flag P (1 bit), extension flag X (1 bit), CSRC count CC (4 bits), marker M (1 bit), Payload Type PT (7 bits), sequence number (16 bits), timestamp (32 bits), SSRC (32 bits), optional CSRC identifiers, and optional RTP extension.</t>
  </dd>
  <dt>Plaintext:</dt>
  <dd>
    <t>The RTP payload, RTP padding (if used), and RTP pad count (if used).</t>
  </dd>
  <dt>Raw Data:</dt>
  <dd>
    <t>The optional SRTP Master Key Identifier (MKI) and SRTP authentication tag (whose use is <bcp14>NOT RECOMMENDED</bcp14>).</t>
  </dd>
</dl>

<figure title="RTP Packet before Authenticated Encryption" anchor="fig-srtp-pre"><artwork><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|V=2|P|X|  CC   |M|     PT      |       sequence number         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                           timestamp                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|           synchronization source (SSRC) identifier            |
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A|            contributing source (CSRC) identifiers             |
A|                             ....                              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                   RTP extension (OPTIONAL)                    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
P|                          payload  ...                         |
P|                               +-------------------------------+
P|                               | RTP padding   | RTP pad count |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  P = Plaintext   A = Associated Data
]]></artwork></figure>

<figure title="SRTP Packet after Authenticated Encryption" anchor="fig-srtp-post"><artwork><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|V=2|P|X|  CC   |M|     PT      |       sequence number         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                           timestamp                           |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|           synchronization source (SSRC) identifier            |
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A|            contributing source (CSRC) identifiers             |
A|                             ....                              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                   RTP extension (OPTIONAL)                    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
C|                          cipher ...                           |
C|                             ...                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:                     SRTP MKI (OPTIONAL)                       :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:           SRTP authentication tag (NOT RECOMMENDED)           :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  C = Ciphertext   A = Associated Data   R = Raw Data
]]></artwork></figure>

</section>
<section anchor="handling-header-extensions"><name>Handling Header Extensions</name>

<t>When <xref target="RFC6904"/> is in use, a separate keystream is generated to encrypt selected RTP header extension elements. For GCM-SST cipher suites using AES-128 keys, this keystream <bcp14>MUST</bcp14> be generated using the AES_128_CM transform. For GCM-SST cipher suites using AES-256 keys (including the Rijndael-GCM-SST cipher suites), the keystream <bcp14>MUST</bcp14> be generated using the AES_256_CM transform. The originator <bcp14>MUST</bcp14> perform any required header extension encryption before the AEAD algorithm is invoked.</t>

<t>Both encrypted and unencrypted header extensions are treated by the AEAD algorithm as Associated Data. The AEAD algorithm therefore provides integrity and authentication for header extensions but no additional privacy beyond what RFC 6904 provides.</t>

</section>
<section anchor="srtp-iv-reuse"><name>Prevention of SRTP IV Reuse</name>

<t>To prevent IV reuse, the (ROC, SEQ, SSRC) triple <bcp14>MUST</bcp14> never be used twice with the same master key. A rekey <bcp14>MUST</bcp14> be performed before the (ROC, SEQ) pair cycles back to its original value. For a given master key, the set of all SSRC values <bcp14>MUST</bcp14> be partitioned into disjoint pools, one per originating endpoint, and each endpoint <bcp14>MUST</bcp14> only use SSRC values from its assigned pool.</t>

</section>
</section>
<section anchor="gcm-sst-processing-for-srtcp"><name>GCM-SST Processing for SRTCP</name>

<t>All SRTCP compound packets <bcp14>MUST</bcp14> be authenticated. SRTCP packet encryption is optional and indicated by a 1-bit Encryption flag located just before the 31-bit SRTCP index.</t>

<t>When using the AEAD_AES_128_GCM_SST_6, AEAD_AES_256_GCM_SST_6, or AEAD_RIJNDAEL_GCM_SST_6 cipher suites (which use 48-bit tags for SRTP), implementations <bcp14>MUST</bcp14> use 96-bit (12-octet) authentication tags for SRTCP packets. For all other cipher suites, the SRTCP tag length <bcp14>MUST</bcp14> match the SRTP tag length.</t>

<section anchor="srtcp-iv"><name>SRTCP IV Formation for AES-GCM-SST</name>

<figure title="GCM-SST SRTCP Initialization Vector Formation (AES)" anchor="fig-srtcp-iv"><artwork><![CDATA[
              0  1  2  3  4  5  6  7  8  9 10 11
            +--+--+--+--+--+--+--+--+--+--+--+--+
            |00|00|    SSRC   |00|00|0+SRTCP Idx|---+
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
            |         Encryption Salt           |->(+)
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
                                                    |
            +--+--+--+--+--+--+--+--+--+--+--+--+   |
            |       Initialization Vector       |<--+
            +--+--+--+--+--+--+--+--+--+--+--+--+
]]></artwork></figure>

<t>The 12-octet IV used by AES-GCM-SST SRTCP is formed by concatenating 2 octets of zeroes, the 4-octet SSRC, 2 octets of zeroes, a single "0" bit, and the 31-bit SRTCP index. The resulting 12-octet value is then XORed with the 12-octet salt to form the IV.</t>

</section>
<section anchor="rijndael-srtcp-iv"><name>SRTCP IV Formation for Rijndael-GCM-SST</name>

<figure title="Rijndael-GCM-SST SRTCP Initialization Vector Formation" anchor="fig-rijndael-srtcp-iv"><artwork><![CDATA[
  0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |         0 (18 octets)             |  SSRC |0 0|0+RTCPi|---+
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
                                                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
 |             Encryption Salt (28 octets)               |->(+)
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
                                                             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+   |
 |          Initialization Vector (28 octets)            |<--+
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

]]></artwork></figure>

<t>The 28-octet IV used by Rijndael-GCM-SST SRTCP is formed by concatenating 18 octets of zeroes, the 4-octet SSRC, 2 octets of zeroes, a single "0" bit, and the 31-bit SRTCP index. The resulting 28-octet value is then XORed with the 28-octet salt to form the IV.</t>

</section>
<section anchor="data-types-in-encrypted-srtcp-packets"><name>Data Types in Encrypted SRTCP Packets</name>

<t>When the Encryption flag is set to 1:</t>

<dl>
  <dt>Associated Data:</dt>
  <dd>
    <t>Version V (2 bits), padding flag P (1 bit), reception report count RC (5 bits), Packet Type (8 bits), length (2 octets), SSRC (4 octets), Encryption flag (1 bit), and SRTCP index (31 bits).</t>
  </dd>
  <dt>Plaintext:</dt>
  <dd>
    <t>All other data.</t>
  </dd>
  <dt>Raw Data:</dt>
  <dd>
    <t>The optional SRTCP MKI and SRTCP authentication tag (<bcp14>NOT RECOMMENDED</bcp14>).</t>
  </dd>
</dl>

<figure title="AEAD SRTCP Inputs When Encryption Flag = 1" anchor="fig-srtcp-enc"><artwork><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|V=2|P|   RC    |  Packet Type  |            length             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|           synchronization source (SSRC) of sender             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
P|                         sender info                           :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
P|                        report blocks ...                      :
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
P|                       additional packets ...                  :
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A|1|                         SRTCP index                         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:                  SRTCP MKI (OPTIONAL)                         :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:           SRTCP authentication tag (NOT RECOMMENDED)          :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  P = Plaintext   A = Associated Data   R = Raw Data
]]></artwork></figure>

</section>
<section anchor="data-types-in-unencrypted-srtcp-packets"><name>Data Types in Unencrypted SRTCP Packets</name>

<t>When the Encryption flag is set to 0:</t>

<dl>
  <dt>Plaintext:</dt>
  <dd>
    <t>None.</t>
  </dd>
  <dt>Associated Data:</dt>
  <dd>
    <t>All data except the optional SRTCP MKI and authentication tag.</t>
  </dd>
  <dt>Raw Data:</dt>
  <dd>
    <t>The optional SRTCP MKI and SRTCP authentication tag (<bcp14>NOT RECOMMENDED</bcp14>).</t>
  </dd>
</dl>

<figure title="AEAD SRTCP Inputs When Encryption Flag = 0" anchor="fig-srtcp-unenc"><artwork><![CDATA[
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|V=2|P|   RC    |  Packet Type  |            length             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|           synchronization source (SSRC) of sender             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                         sender info                           :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A|                        report blocks ...                      :
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A|                       additional packets ...                  :
 +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
A|0|                         SRTCP index                         |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:                  SRTCP MKI (OPTIONAL)                         :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
R:              authentication tag (NOT RECOMMENDED)             :
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  A = Associated Data   R = Raw Data
]]></artwork></figure>

</section>
<section anchor="prevention-of-srtcp-iv-reuse"><name>Prevention of SRTCP IV Reuse</name>

<t>A new master key <bcp14>MUST</bcp14> be established before the 31-bit SRTCP index cycles back to its original value. The comments on SSRC management in <xref target="srtp-iv-reuse"/> also apply to SRTCP.</t>

</section>
</section>
<section anchor="unneeded-srtpsrtcp-fields"><name>Unneeded SRTP/SRTCP Fields</name>

<section anchor="srtpsrtcp-authentication-tag-field"><name>SRTP/SRTCP Authentication Tag Field</name>

<t>The AEAD message authentication mechanism <bcp14>MUST</bcp14> be the primary message authentication mechanism. Additional SRTP/SRTCP authentication mechanisms <bcp14>SHOULD NOT</bcp14> be used, and the optional SRTP/SRTCP authentication tags are <bcp14>NOT RECOMMENDED</bcp14> and <bcp14>SHOULD NOT</bcp14> be present.</t>

</section>
<section anchor="rtp-padding"><name>RTP Padding</name>

<t>GCM-SST does not require data to be padded to a specific block size. It is <bcp14>RECOMMENDED</bcp14> that the RTP padding mechanism not be used unless necessary to disguise the length of the underlying Plaintext.</t>

</section>
</section>
<section anchor="constraints-on-aead-for-srtp-and-srtcp"><name>Constraints on AEAD for SRTP and SRTCP</name>

<t>All AEAD algorithms used with SRTP/SRTCP <bcp14>MUST</bcp14> satisfy the following constraints:</t>

<texttable title="AEAD Constraints for SRTP/SRTCP">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>Meaning</ttcol>
      <ttcol align='left'>Value</ttcol>
      <c>A_MAX</c>
      <c>Maximum Associated Data length</c>
      <c><bcp14>MUST</bcp14> be at least 12 octets</c>
      <c>N_MIN</c>
      <c>Minimum nonce (IV) length</c>
      <c>12 octets (AES) or 28 octets (Rijndael)</c>
      <c>N_MAX</c>
      <c>Maximum nonce (IV) length</c>
      <c>12 octets (AES) or 28 octets (Rijndael)</c>
      <c>P_MAX</c>
      <c>Maximum Plaintext length</c>
      <c>2^15 octets (AES) or 2^16 octets (Rijndael)</c>
      <c>C_MAX</c>
      <c>Maximum ciphertext length</c>
      <c>P_MAX + tag_length</c>
</texttable>

<t>Additional parameters:</t>

<t><list style="symbols">
  <t>E_MAX (maximum number of encryption invocations per key): E_MAX is 2^48 for SRTP and 2^31 for SRTCP. SRTP and SRTCP use separate derived keys and therefore have independent invocation counts.</t>
  <t>D_MAX (maximum number of decryption invocations per key): For AES-GCM-SST cipher suites, D_MAX is 2^54. For Rijndael-GCM-SST cipher suites, D_MAX is 2^118.</t>
</list></t>

<t>For AES-GCM-SST, <xref target="I-D.mattsson-cfrg-aes-gcm-sst"/> recommends that protocols enforce E_MAX · P_MAX / 16 ⪅ 2^59. With E_MAX of 2^48 and P_MAX of 2^15 octets, the product E_MAX · P_MAX / 16 = 2^59, which satisfies this bound. If an application requires larger packets, P_MAX <bcp14>MAY</bcp14> be increased provided that E_MAX is reduced accordingly so that E_MAX · P_MAX / 16 ⪅ 2^59 remains satisfied, and a rekey <bcp14>MUST</bcp14> be performed before E_MAX is reached. For Rijndael-GCM-SST, the 256-bit block size guarantees δ ≈ 1 without requiring this constraint, and P_MAX is set to 2^16 octets with E_MAX of 2^48.</t>

</section>
<section anchor="key-derivation-functions"><name>Key Derivation Functions</name>

<t>A Key Derivation Function (KDF) is used to derive all required encryption keys and salts from the shared master key. The AES-128-GCM-SST cipher suites <bcp14>MUST</bcp14> use the AES_128_CM_PRF KDF described in <xref target="RFC3711"/>. The AES-256-GCM-SST and Rijndael-GCM-SST cipher suites <bcp14>MUST</bcp14> use the AES_256_CM_PRF KDF described in <xref target="RFC6188"/>.</t>

<t>For the Rijndael-GCM-SST cipher suites, the KDF <bcp14>MUST</bcp14> derive a 256-bit encryption key and a 224-bit (28-octet) encryption salt. The master salt for Rijndael-GCM-SST is 224 bits.</t>

</section>
<section anchor="summary-of-gcm-sst-cipher-suites-in-srtpsrtcp"><name>Summary of GCM-SST Cipher Suites in SRTP/SRTCP</name>

<t>The following GCM-SST cipher suites are defined for use with SRTP/SRTCP:</t>

<texttable title="GCM-SST Cipher Suites for SRTP/SRTCP">
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Key Size</ttcol>
      <ttcol align='left'>Tag Size</ttcol>
      <c>AEAD_AES_128_GCM_SST_6</c>
      <c>16 octets</c>
      <c>6 octets</c>
      <c>AEAD_AES_128_GCM_SST_12</c>
      <c>16 octets</c>
      <c>12 octets</c>
      <c>AEAD_AES_128_GCM_SST_14</c>
      <c>16 octets</c>
      <c>14 octets</c>
      <c>AEAD_AES_256_GCM_SST_6</c>
      <c>32 octets</c>
      <c>6 octets</c>
      <c>AEAD_AES_256_GCM_SST_12</c>
      <c>32 octets</c>
      <c>12 octets</c>
      <c>AEAD_AES_256_GCM_SST_14</c>
      <c>32 octets</c>
      <c>14 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_6</c>
      <c>32 octets</c>
      <c>6 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_12</c>
      <c>32 octets</c>
      <c>12 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_14</c>
      <c>32 octets</c>
      <c>14 octets</c>
</texttable>

<texttable title="AEAD_AES_128_GCM_SST_6 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_128_GCM_SST_6</ttcol>
      <c>Master key length</c>
      <c>128 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_128_CM_PRF <xref target="RFC3711"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>48 bits</c>
</texttable>

<texttable title="AEAD_AES_128_GCM_SST_12 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_128_GCM_SST_12</ttcol>
      <c>Master key length</c>
      <c>128 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_128_CM_PRF <xref target="RFC3711"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>96 bits</c>
</texttable>

<texttable title="AEAD_AES_128_GCM_SST_14 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_128_GCM_SST_14</ttcol>
      <c>Master key length</c>
      <c>128 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_128_CM_PRF <xref target="RFC3711"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>112 bits</c>
</texttable>

<texttable title="AEAD_AES_256_GCM_SST_6 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_256_GCM_SST_6</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>48 bits</c>
</texttable>

<texttable title="AEAD_AES_256_GCM_SST_12 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_256_GCM_SST_12</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>96 bits</c>
</texttable>

<texttable title="AEAD_AES_256_GCM_SST_14 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_AES_256_GCM_SST_14</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>96 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^54 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>112 bits</c>
</texttable>

<texttable title="AEAD_RIJNDAEL_GCM_SST_6 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_RIJNDAEL_GCM_SST_6</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>224 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^118 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>48 bits</c>
</texttable>

<texttable title="AEAD_RIJNDAEL_GCM_SST_12 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_RIJNDAEL_GCM_SST_12</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>224 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^118 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>96 bits</c>
</texttable>

<texttable title="AEAD_RIJNDAEL_GCM_SST_14 Crypto Suite">
      <ttcol align='left'>Parameter</ttcol>
      <ttcol align='left'>AEAD_RIJNDAEL_GCM_SST_14</ttcol>
      <c>Master key length</c>
      <c>256 bits</c>
      <c>Master salt length</c>
      <c>224 bits</c>
      <c>Key Derivation Function</c>
      <c>AES_256_CM_PRF <xref target="RFC6188"/></c>
      <c>E_MAX (SRTP)</c>
      <c>2^48 encryption invocations</c>
      <c>E_MAX (SRTCP)</c>
      <c>2^31 encryption invocations</c>
      <c>D_MAX</c>
      <c>2^118 decryption invocations</c>
      <c>AEAD authentication tag length</c>
      <c>112 bits</c>
</texttable>

</section>
<section anchor="security-considerations"><name>Security Considerations</name>

<section anchor="handling-of-security-critical-parameters"><name>Handling of Security-Critical Parameters</name>

<t>The following security-critical parameters must be handled properly:</t>

<t><list style="symbols">
  <t>The master salt, if kept secret, <bcp14>MUST</bcp14> be properly erased when no longer needed.</t>
  <t>The secret master key and all keys derived from it <bcp14>MUST</bcp14> be kept secret and <bcp14>MUST</bcp14> be properly erased when no longer needed.</t>
  <t>Each time a rekey occurs, the initial values of both the 31-bit SRTCP index and the 48-bit SRTP packet index (ROC||SEQ) <bcp14>MUST</bcp14> be saved to prevent IV reuse.</t>
  <t>Processing <bcp14>MUST</bcp14> cease if either the 31-bit SRTCP index or the 48-bit SRTP packet index cycles back to its initial value. Processing <bcp14>MUST NOT</bcp14> resume until a new session has been established using a new master key.</t>
  <t>GCM-SST <bcp14>MUST</bcp14> be used in a nonce-respecting setting. For a given key, a nonce <bcp14>MUST</bcp14> only be used once in the encryption function and only once in a successful decryption function call. Nonce reuse enables universal forgery.</t>
</list></t>

</section>
<section anchor="size-of-the-authentication-tag"><name>Size of the Authentication Tag</name>

<t>The GCM-SST tag_length <bcp14>SHOULD NOT</bcp14> be smaller than 4 octets. Unlike AES-GCM, GCM-SST provides near-ideal forgery probabilities even for short tags, making 48-bit tags suitable for applications such as audio packet encryption where overhead is critical. The 96-bit and 112-bit tag lengths provide higher security margins suitable for most other SRTP use cases. Implementations <bcp14>MUST</bcp14> use the tag length associated with the negotiated cipher suite and <bcp14>MUST NOT</bcp14> truncate or extend the tag.</t>

</section>
<section anchor="replay-protection"><name>Replay Protection</name>

<t>GCM-SST <bcp14>MUST</bcp14> be used with replay protection. The SRTP sequence number and rollover counter, or the SRTCP index, provide the basis for replay protection. For examples of replay protection mechanisms, see <xref target="RFC4303"/> and <xref target="RFC6479"/>.</t>

</section>
<section anchor="rekeying"><name>Rekeying</name>

<t>Implementations <bcp14>SHOULD</bcp14> rekey well before reaching E_MAX. To minimize the impact of key compromise, rekeying via ephemeral key exchange providing forward secrecy <bcp14>SHOULD</bcp14> occur after at most 1 hour or 2^30 to 2^37 octets of data, whichever comes first.</t>

</section>
<section anchor="multicast-and-broadcast"><name>Multicast and Broadcast</name>

<t>Although GCM-SST offers stronger security than AES-GCM for short tags, it is not ideal in multicast or broadcast settings. A few successful forgeries against one or more recipients enable the attacker to create a new forgery targeting all other recipients sharing the same key. See Section 5.6 of <xref target="I-D.mattsson-cfrg-aes-gcm-sst"/> for further details.</t>

</section>
</section>
<section anchor="iana-considerations"><name>IANA Considerations</name>

<section anchor="dtls-srtp"><name>DTLS-SRTP</name>

<t>DTLS-SRTP <xref target="RFC5764"/> defines SRTP protection profiles. IANA is requested to register the following SRTP protection profiles:</t>

<figure><artwork><![CDATA[
  SRTP_AEAD_AES_128_GCM_SST_6   = {0x00, TBD1}
  SRTP_AEAD_AES_128_GCM_SST_12  = {0x00, TBD2}
  SRTP_AEAD_AES_128_GCM_SST_14  = {0x00, TBD3}
  SRTP_AEAD_AES_256_GCM_SST_6   = {0x00, TBD4}
  SRTP_AEAD_AES_256_GCM_SST_12  = {0x00, TBD5}
  SRTP_AEAD_AES_256_GCM_SST_14  = {0x00, TBD6}
  SRTP_AEAD_RIJNDAEL_GCM_SST_6  = {0x00, TBD7}
  SRTP_AEAD_RIJNDAEL_GCM_SST_12 = {0x00, TBD8}
  SRTP_AEAD_RIJNDAEL_GCM_SST_14 = {0x00, TBD9}
]]></artwork></figure>

<t>The SRTP transform parameters for each protection profile are as follows:</t>

<figure><artwork><![CDATA[
  SRTP_AEAD_AES_128_GCM_SST_6
    cipher:                 AES_128_GCM_SST
    cipher_key_length:      128 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   6 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_AES_128_GCM_SST_12
    cipher:                 AES_128_GCM_SST
    cipher_key_length:      128 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   12 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_AES_128_GCM_SST_14
    cipher:                 AES_128_GCM_SST
    cipher_key_length:      128 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   14 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_AES_256_GCM_SST_6
    cipher:                 AES_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   6 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_AES_256_GCM_SST_12
    cipher:                 AES_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   12 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_AES_256_GCM_SST_14
    cipher:                 AES_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     96 bits
    aead_auth_tag_length:   14 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_RIJNDAEL_GCM_SST_6
    cipher:                 RIJNDAEL_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     224 bits
    aead_auth_tag_length:   6 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_RIJNDAEL_GCM_SST_12
    cipher:                 RIJNDAEL_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     224 bits
    aead_auth_tag_length:   12 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets

  SRTP_AEAD_RIJNDAEL_GCM_SST_14
    cipher:                 RIJNDAEL_256_GCM_SST
    cipher_key_length:      256 bits
    cipher_salt_length:     224 bits
    aead_auth_tag_length:   14 octets
    auth_function:          NULL
    auth_key_length:        N/A
    auth_tag_length:        N/A
    maximum lifetime:       at most 2^31 SRTCP packets and at most 2^48 SRTP packets
]]></artwork></figure>

</section>
<section anchor="mikey"><name>MIKEY</name>

<t>In accordance with <xref target="RFC3830"/>, IANA is requested to add the following to the "Encryption algorithm (Value 0)" subregistry:</t>

<texttable title="MIKEY Encryption Algorithm Registration">
      <ttcol align='left'>SRTP Encr. Algorithm</ttcol>
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>Default Session Encr. Key Length</ttcol>
      <ttcol align='left'>Default Auth. Tag Length</ttcol>
      <c>AES-GCM-SST</c>
      <c>TBD10</c>
      <c>16 octets</c>
      <c>variable</c>
      <c>RIJNDAEL-256-GCM-SST</c>
      <c>TBD11</c>
      <c>32 octets</c>
      <c>variable</c>
</texttable>

</section>
<section anchor="parameters-for-use-with-mikey"><name>Parameters for Use with MIKEY</name>

<t>MIKEY specifies the algorithm family separately from the key length and authentication tag length.</t>

<texttable title="Mapping MIKEY Parameters to GCM-SST AEAD Algorithms">
      <ttcol align='left'>AEAD Algorithm</ttcol>
      <ttcol align='left'>Encryption Algorithm</ttcol>
      <ttcol align='left'>Encryption Key Length</ttcol>
      <ttcol align='left'>AEAD Auth. Tag Length</ttcol>
      <c>AEAD_AES_128_GCM_SST_6</c>
      <c>AES-GCM-SST</c>
      <c>16 octets</c>
      <c>6 octets</c>
      <c>AEAD_AES_128_GCM_SST_12</c>
      <c>AES-GCM-SST</c>
      <c>16 octets</c>
      <c>12 octets</c>
      <c>AEAD_AES_128_GCM_SST_14</c>
      <c>AES-GCM-SST</c>
      <c>16 octets</c>
      <c>14 octets</c>
      <c>AEAD_AES_256_GCM_SST_6</c>
      <c>AES-GCM-SST</c>
      <c>32 octets</c>
      <c>6 octets</c>
      <c>AEAD_AES_256_GCM_SST_12</c>
      <c>AES-GCM-SST</c>
      <c>32 octets</c>
      <c>12 octets</c>
      <c>AEAD_AES_256_GCM_SST_14</c>
      <c>AES-GCM-SST</c>
      <c>32 octets</c>
      <c>14 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_6</c>
      <c>RIJNDAEL-256-GCM-SST</c>
      <c>32 octets</c>
      <c>6 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_12</c>
      <c>RIJNDAEL-256-GCM-SST</c>
      <c>32 octets</c>
      <c>12 octets</c>
      <c>AEAD_RIJNDAEL_GCM_SST_14</c>
      <c>RIJNDAEL-256-GCM-SST</c>
      <c>32 octets</c>
      <c>14 octets</c>
</texttable>

</section>
</section>


  </middle>

  <back>


    <references title='Normative References'>



<reference anchor='RFC3550' target='https://www.rfc-editor.org/info/rfc3550'>
  <front>
    <title>RTP: A Transport Protocol for Real-Time Applications</title>
    <author fullname='H. Schulzrinne' initials='H.' surname='Schulzrinne'/>
    <author fullname='S. Casner' initials='S.' surname='Casner'/>
    <author fullname='R. Frederick' initials='R.' surname='Frederick'/>
    <author fullname='V. Jacobson' initials='V.' surname='Jacobson'/>
    <date month='July' year='2003'/>
    <abstract>
      <t>This memorandum describes RTP, the real-time transport protocol. RTP provides end-to-end network transport functions suitable for applications transmitting real-time data, such as audio, video or simulation data, over multicast or unicast network services. RTP does not address resource reservation and does not guarantee quality-of- service for real-time services. The data transport is augmented by a control protocol (RTCP) to allow monitoring of the data delivery in a manner scalable to large multicast networks, and to provide minimal control and identification functionality. RTP and RTCP are designed to be independent of the underlying transport and network layers. The protocol supports the use of RTP-level translators and mixers. Most of the text in this memorandum is identical to RFC 1889 which it obsoletes. There are no changes in the packet formats on the wire, only changes to the rules and algorithms governing how the protocol is used. The biggest change is an enhancement to the scalable timer algorithm for calculating when to send RTCP packets in order to minimize transmission in excess of the intended rate when many participants join a session simultaneously. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='STD' value='64'/>
  <seriesInfo name='RFC' value='3550'/>
  <seriesInfo name='DOI' value='10.17487/RFC3550'/>
</reference>
<reference anchor='RFC3711' target='https://www.rfc-editor.org/info/rfc3711'>
  <front>
    <title>The Secure Real-time Transport Protocol (SRTP)</title>
    <author fullname='M. Baugher' initials='M.' surname='Baugher'/>
    <author fullname='D. McGrew' initials='D.' surname='McGrew'/>
    <author fullname='M. Naslund' initials='M.' surname='Naslund'/>
    <author fullname='E. Carrara' initials='E.' surname='Carrara'/>
    <author fullname='K. Norrman' initials='K.' surname='Norrman'/>
    <date month='March' year='2004'/>
    <abstract>
      <t>This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='3711'/>
  <seriesInfo name='DOI' value='10.17487/RFC3711'/>
</reference>
<reference anchor='RFC3830' target='https://www.rfc-editor.org/info/rfc3830'>
  <front>
    <title>MIKEY: Multimedia Internet KEYing</title>
    <author fullname='J. Arkko' initials='J.' surname='Arkko'/>
    <author fullname='E. Carrara' initials='E.' surname='Carrara'/>
    <author fullname='F. Lindholm' initials='F.' surname='Lindholm'/>
    <author fullname='M. Naslund' initials='M.' surname='Naslund'/>
    <author fullname='K. Norrman' initials='K.' surname='Norrman'/>
    <date month='August' year='2004'/>
    <abstract>
      <t>This document describes a key management scheme that can be used for real-time applications (both for peer-to-peer communication and group communication). In particular, its use to support the Secure Real-time Transport Protocol is described in detail. Security protocols for real-time multimedia applications have started to appear. This has brought forward the need for a key management solution to support these protocols. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='3830'/>
  <seriesInfo name='DOI' value='10.17487/RFC3830'/>
</reference>
<reference anchor='RFC5116' target='https://www.rfc-editor.org/info/rfc5116'>
  <front>
    <title>An Interface and Algorithms for Authenticated Encryption</title>
    <author fullname='D. McGrew' initials='D.' surname='McGrew'/>
    <date month='January' year='2008'/>
    <abstract>
      <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='5116'/>
  <seriesInfo name='DOI' value='10.17487/RFC5116'/>
</reference>
<reference anchor='RFC5764' target='https://www.rfc-editor.org/info/rfc5764'>
  <front>
    <title>Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)</title>
    <author fullname='D. McGrew' initials='D.' surname='McGrew'/>
    <author fullname='E. Rescorla' initials='E.' surname='Rescorla'/>
    <date month='May' year='2010'/>
    <abstract>
      <t>This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for Secure RTP (SRTP) and Secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any out-of-band signalling channel present. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='5764'/>
  <seriesInfo name='DOI' value='10.17487/RFC5764'/>
</reference>
<reference anchor='RFC6188' target='https://www.rfc-editor.org/info/rfc6188'>
  <front>
    <title>The Use of AES-192 and AES-256 in Secure RTP</title>
    <author fullname='D. McGrew' initials='D.' surname='McGrew'/>
    <date month='March' year='2011'/>
    <abstract>
      <t>This memo describes the use of the Advanced Encryption Standard (AES) with 192- and 256-bit keys within the Secure RTP (SRTP) protocol. It details counter mode encryption for SRTP and Secure Realtime Transport Control Protocol (SRTCP) and a new SRTP Key Derivation Function (KDF) for AES-192 and AES-256. [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='6188'/>
  <seriesInfo name='DOI' value='10.17487/RFC6188'/>
</reference>
<reference anchor='RFC6904' target='https://www.rfc-editor.org/info/rfc6904'>
  <front>
    <title>Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)</title>
    <author fullname='J. Lennox' initials='J.' surname='Lennox'/>
    <date month='April' year='2013'/>
    <abstract>
      <t>The Secure Real-time Transport Protocol (SRTP) provides authentication, but not encryption, of the headers of Real-time Transport Protocol (RTP) packets. However, RTP header extensions may carry sensitive information for which participants in multimedia sessions want confidentiality. This document provides a mechanism, extending the mechanisms of SRTP, to selectively encrypt RTP header extensions in SRTP.</t>
      <t>This document updates RFC 3711, the Secure Real-time Transport Protocol specification, to require that all future SRTP encryption transforms specify how RTP header extensions are to be encrypted.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='6904'/>
  <seriesInfo name='DOI' value='10.17487/RFC6904'/>
</reference>

<reference anchor='I-D.mattsson-cfrg-aes-gcm-sst' target='https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-aes-gcm-sst-21'>
   <front>
      <title>Galois Counter Mode with Strong Secure Tags (GCM-SST)</title>
      <author fullname='Matt Campagna' initials='M.' surname='Campagna'>
         <organization>Amazon Web Services</organization>
      </author>
      <author fullname='Alexander Maximov' initials='A.' surname='Maximov'>
         <organization>Ericsson</organization>
      </author>
      <author fullname='John Preuß Mattsson' initials='J. P.' surname='Mattsson'>
         <organization>Ericsson</organization>
      </author>
      <date day='5' month='July' year='2026'/>
      <abstract>
	 <t>   This document defines Galois Counter Mode with Strong Secure Tags
   (GCM-SST), an Authenticated Encryption with Associated Data (AEAD)
   algorithm that addresses several weaknesses of GCM.  GCM-SST can be
   used with any keystream generator, not only 128-bit block ciphers.
   Main differences from GCM are the introduction of a second
   authentication subkey H_2, per-nonce derivation of both H and H_2,
   and stricter usage limits.  Together, these changes yield
   authentication tags with near-ideal forgery probabilities, including
   reforgeability resistance.  All registered instances have an expected
   number of forgeries E(F) ≈ v / 2^t, a property that GCM is far from
   providing.  GCM-SST is designed for security protocols with replay
   protection such as TLS, QUIC, SRTP, and PDCP, and provides hardware
   and software performance comparable to GCM.  This document registers
   nine AEAD algorithm instances using AES and Rijndael-256 in counter
   mode, with tag lengths of 48, 96, and 112 bits.  GCM-SST has been
   standardized by 3GPP for use with SNOW 5G, AES-256, and ZUC-256.

	 </t>
      </abstract>
   </front>
   <seriesInfo name='Internet-Draft' value='draft-mattsson-cfrg-aes-gcm-sst-21'/>
   
</reference>
<reference anchor='RFC2119' target='https://www.rfc-editor.org/info/rfc2119'>
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname='S. Bradner' initials='S.' surname='Bradner'/>
    <date month='March' year='1997'/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='2119'/>
  <seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>
<reference anchor='RFC8174' target='https://www.rfc-editor.org/info/rfc8174'>
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname='B. Leiba' initials='B.' surname='Leiba'/>
    <date month='May' year='2017'/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name='BCP' value='14'/>
  <seriesInfo name='RFC' value='8174'/>
  <seriesInfo name='DOI' value='10.17487/RFC8174'/>
</reference>



    </references>

    <references title='Informative References'>



<reference anchor='RFC4303' target='https://www.rfc-editor.org/info/rfc4303'>
  <front>
    <title>IP Encapsulating Security Payload (ESP)</title>
    <author fullname='S. Kent' initials='S.' surname='Kent'/>
    <date month='December' year='2005'/>
    <abstract>
      <t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='4303'/>
  <seriesInfo name='DOI' value='10.17487/RFC4303'/>
</reference>
<reference anchor='RFC6479' target='https://www.rfc-editor.org/info/rfc6479'>
  <front>
    <title>IPsec Anti-Replay Algorithm without Bit Shifting</title>
    <author fullname='X. Zhang' initials='X.' surname='Zhang'/>
    <author fullname='T. Tsou' initials='T.' surname='Tsou'/>
    <date month='January' year='2012'/>
    <abstract>
      <t>This document presents an alternate method to do the anti-replay checks and updates for IP Authentication Header (AH) and Encapsulating Security Protocol (ESP). The method defined in this document obviates the need for bit shifting and it reduces the number of times an anti-replay window is adjusted. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
    </abstract>
  </front>
  <seriesInfo name='RFC' value='6479'/>
  <seriesInfo name='DOI' value='10.17487/RFC6479'/>
</reference>



    </references>


<section numbered="false" anchor="acknowledgments"><name>Acknowledgments</name>

<t>The authors would like to thank the authors of RFC 7714, David McGrew and Kevin Igoe, whose document structure this specification closely follows. The authors also thank the authors of <xref target="I-D.mattsson-cfrg-aes-gcm-sst"/>, Matthew Campagna, Alexander Maximov, and John Preuß Mattsson, for defining the GCM-SST algorithm.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIACarS2oAA+09XXPbOJLv+hU450W+kRTLVhzHtdk6jexMPBMnXtvJzNbt
jQsiIYkTitSRlB1PnH27qrtfsfd8z1d177vv9yP2l1x/ACBIkZLiOHOZTORU
RSKBRqPRaDS6G412u93IgixU+2Ljm8Fx++zsXPTn2URFWeDJTPniMPKS61kW
xJEIIgFvxJny5okSp0qG7SyYKnGeyCidxUkmTpI4i704FM2z0/OTzY2GHA4T
dekAH8WJwHcbDQQ/jpPrfZFmfqPhx14kp4CHn8hR1r5SaaaScB75bXmZeXGi
2mmSzdpjb9pO06wdQu00a6Tz4TRIU8Auu55B5aPD8yeNaD4dqmS/4UOZ/YYX
R6mK0nm6L7JkrhqAzU5DJkoCVv3T843GVZy8HifxfIYP5n4Q338V+Cp2ujWA
5sWxDKJMRTLy1EbjtbqGav5+Q7TFIJhNFPRqHmQKf+uu4lfsaaNxqaI5ICLE
+7Uimv1X54MXp4dARyG4fxvfA7JBNBbfICh8PpVBCM+BSP8UqGzUiZMxPpaJ
N4HHkyybpfv372MpfBRcqo4pdh8f3B8m8VWq7kP9+1hvHGST+RBqjsM4iObh
/bWGA2vyiDhtaggdBtmBHq8Fa71SnUk2DTcaDQnMGic4DoACcCiM8nFHfG8r
41Pmq2M5juZp6RWQYV8cJoGXpnGEDxTTc0qFOzkS/6R0oY4XTxtuc992gO3V
/G9/gRayzMDhNr+NJ1HV27pmf4LynakuWGoyihN4AwO4D82L0yeDnQcPtvb1
14fdrvm6t2OePuh2d83Xh7s9/XW3u7dnvj7aoqdH7QPbatsbJeO2VKmhNDQX
RKNy472drR0DpffwETzudDqNRrvdFnKYZon0skbjfBKkAib2fAryRPhqFEQq
FZP4iuSIEQnNbyRwSgr8PwfWT8Rx7CtxBUwjzrIkBl7XAudcjtPNeulENfrQ
BS+gVwcykzCFDvsHm0KGIGng/VSM5DQIr4UnIzFUYp5CwSwWsyS+hNkoQFaM
4H8AL8MguxYy8oWPcGTe6q0kYcf2Vvp+otIU6PA6iq8AbSVfR/wAoPYPz9pQ
ksRkOkFApZYzIEIL2JOEQJBB9TAUKYoenypNlR9IoXKyQBehtwj+CqSUEiFQ
P75UyURJXwDVPaALAA9h8Gj0poHvh6rRuCeOIiC/P/cQDI7l+/RXvH2r2fLd
O2xFIolHQahEPCLSLYfhgAAmf/euBcgH3oSGrWasgChARTlWJYq1aBATNQvl
NdbNlMeEjBmP8xNYFuRoFHhUUD8G4ND50L5C0kLRVi3uA13B7cMAxr3RuBXD
Ut9x/gL5dIdTMYyhQhWL4pIxTvAXsJAUKfAGUJoaiseJnAHtRDxTCRGkI2ha
pjPlBSPDVsBQ0ADyih6fW05OQH5xsvHERzShX0tlzbt3SDA9B6DVK+gpAKBp
OpxnYiIrpg3wdcRFCK/aaYMdVziSY5UQKwzlMCAa4ug6rabBOCLSRBk0Dus8
kCWbAOsBNjJkhgIqzz0PEBjNQwsTVB0okBIBSwiAogI6g3jagrkphyHOXgAI
dJDeayArsB0BAeLhdB6m6l/nKDM1T6dV8gPgA2IOIYY4/jxnDXzfD7B5GVoE
tlmowdpyiYVGAGyiX6biKb2EMkgRJWHGRTFoIi3oWToPM5I5kYiUTNpEiwpq
BoAIkCFyRBgSnwDTc1jcocNTBDcL8/EAUqjpLEuBAc7qRhC0Gpya0ymL4LKs
64id7fYwyPKyaQbNyoRYbxqnmUgkaF4CyP8a9JVrlYAs3e0V6+Twj+JzFAB6
htOoz2ahQcjUx+fQLgHiX3tbdRAXpLMDEMaY9EIxQ5bIdAemwBAtARqtAoVP
t6ZA34TfyIp6IQBKTcUkGE+AX1HZDXCpRqYqyQAt93NuImZkXjKz3xkznk88
z1Oc5zhZxnMJNMmUQmwu48DXCABb8GKqoBaMMIIDnRMGt42Tpx0pnC4Shppg
A3eMkNmH0FuslcLCBLVQWwc1nWR0inNsImDO4+QcnJ8iJYckSgizp8f9QWep
lhETFogcQuhu77V1x1v0YPvBbv4AKXsa/AT8osK23QsVBBot0bi+UeEzlPAt
RmWRWUWoonE2SZGkvb2WeLTLTXS72wK4w0qjEPqNFPR4F0FLOY+9FpugWv35
z38GVQtxuQC0L6AfF4DgBSB4sSv4o/unsRG77djLVCaavT3kxU3EqA4EIFQF
orttYDzaXQ2jVw2jZ2BAtyuBwBBU9gWer9sXF4TbFwfEyr4UYPSqYSzty+nR
t88P+ofPyp2xHLVmhxbg6B5VwVnaq0VAvXpA1V1Dtmt8z6vrIotSXe6BaOou
bfLcNpv8Fs8RnISpYByhiW23rNZGrI4jfVj5QB3K5Q0CwxkMYirF5YoXRgZs
RCVoh7CUTIMomAY/I6pWwzW1p7i5NmKU57Cu3GHddmHqF3uLcqRAuiYKD+wQ
LJwtYX4Mw9h7vYliwtMK0xQVJskSFtfYLFFyKsYqQnUsTjpFqEQpKUBQ6QHZ
3u7xgOiFmPVgpEKQUFE/GI1ArweSHL0SepuGEgj1FSP4hhK1o2KHmqlSoI4l
pnXaXAeXoG+ilCq+8PgNarOwLwBV9xJlHQpoLHuAcorUjJRJiXoGWkdSsXH8
8ux8o8X/i+cv6Pvp4R9eHp0eHuD3s6f9Z8/sl4Yucfb0xctnB/m3vObgxfHx
4fMDrgxPReFRY+O4/8cNlrMbL07Oj1487z/b4N2au0agdIW1ATaAqDkns0Sh
/i3TBnAg7IeGrKt+PTj563/CrHn79h9AGd/udh8BcfjHXvdhD36g5smtxRFq
ivQTiH7dgHUdlCRSx2GN8+QsyEAxbCEjwPoK+ivuxYCc//jPSJl/2Re/G3qz
bu/3+gF2uPDQ0KzwkGi2+GShMhOx4lFFM5aaheclShfx7f+x8NvQ3XnIbJGv
dUBzWEsnEnQUsw0B1UhG8C5dGC1Y/44iVORgx4NMtt/Yh60pCTmkPRph8pe0
14xEM99mXdD8TGUIc2gmA1S1x4oUFBZ+MDy0w2etY46TChUZvZ1GNQ5U83nE
m0YQU7CNCq87iAEKkftaCSBdWUX+LAaOIgAw46/iInKp2VyVt0lG2Z5KNDfh
/NkHjlJWjhZ2qM6LgX3TQSJdxp6lUI6c7R7IHVYshkn8WiHhMqtsdsQhIsC/
BAtkVNdw33WdbykD24bpCjA60CTBHWxpJCr7itu74o4XkaWdL0gsalkW9su4
64vizOjMygcIJyEZSd9kC3Vph2yLssrugoPKbK01tZEv43k2g1ZcfB0N3Yx9
i1TTIKVNkC6bt2RR0lzOdKvYB8KaB0icyqvqzkdaec4hRzDU5T6AEH4BC9xl
oK4MKs54Uw/OzPLZR6svGj2AtWFrVSpmV1kkHq0S81nMC0c+XWF4Iw83aynM
RdkRXyOV4eGl9K7LNKZNDfJYEZjZW1xPpypLkJOtTg3bnqg8I4zeb9di1vvT
Za0SO1tO1fwLxBpCA9hPEPLOBKN9/gQwZQYHKTCTCcAKZpJG2MxlQg82PQFu
XZ3qIPWsATENcDcrIwWqBSwDQ9yDXeL+LIeCUgT6Ng4inCjOKORKiId4fgeg
D3Bvzn16YgRP87uDJ5s0O3DDqKydSnfBQYwtCUBCBR3Cxhxepj0+kg7FIfaS
HlgpYzc1HXEWoAOivPvRw1DYwK45EK0FYH5MExstT5Y9DM4liIgmUMjnPZOv
MhmEJEyNKbk4rgrE0DAM0okWAWacVXalYBTtQEd6kw0CIEWLIhHUAwnPk8pZ
g5gJpsoDrSpIWWInCprTdhb1RgsGUN9SswyFabwO6EZDaelLJkXD8kFK0va1
3lMzxRckGjZOY2cXBGYoWBlBllzBMhWQofBnJuQrkANQsnn0ipgJubcjnmjr
V4WW2GLgdvphN8xe4ew68iZJHBnYZ/E8QafV2dnpYFOwiXIUqKRVqHWKUgUm
hzUoNk9fDDZZicJyZktzRno+wHtOzjwAe/iHTV6ysZjd+jisiExt2d/ZHYFe
rJVdq+NudjS1Cj1DzNmc0yVlnosEka/e5C2/b4NWdyY6L99lMKlSCWygV2Ig
YOhbK5Jj+3D2CPUY2SI5RrfQ97/BvQqIbJrAJzydgdfh1T1+lmse8BWWUpYx
L2hZTbHYPWP2JvOxsWdwWXQiCVHU14T5vCDsQXeB9lqiu4tsvrMtqFMpVSwy
+IVm8HLFbay4vedWzNWQC1qBK1rEuXopQbcZhkqbc6hqvtgXPquqQl1NE+5z
ronUgmnpuuJxQyz7cKmmRWxTfIWaxoVumTbyKDq9vEmtzaQfrMvg8B6oz2h4
1xiXdYZ3DS7Jh9eMYN72pmi7Q4hVXwEhfFDWLp6EcpxD/DqOQ9g8tcT56ctD
ESBmUK4lnvSfnR2KGPXJqyBVzAUwWE9hdoa6EzR/+4VhBQ0dtCFY/+MpKX/a
xELb0plMU72QF1lhqEZoYJGwSlKDQmovG/mVZqH0YJHLKYLyoez5MvteVKsS
BT0iBRKaCJ19xKKZFV1CQ1zWqdekIIuzSTwP/aXV0OCUGwE0xbCCFryEDbzz
g9STiW/UbiO2czFo1SeiLS2XIG2fWEMMvja13t4zUtdMEveztfRfF/4tVoCn
20LsCNET4oEQu0I8FGJPiEf8tlDhq3Z79b9CjZutLfyHX2lthCf0HJZs+g5r
srhpl2ut1Q7WXy7Taj43d9DWjf3muGPPcO10yrR/3/xq81fasWq1T5f53a0G
jBj27b64NwrGRnkQFDr22AZ3MfdXtp1PiCbompsb73hBcnWmubY2aE9sDjGg
PcqU346CJKXVC9XfiDdrZslAifazSmKjSVlVFZi3+CQxaqi3XA1NjRoaOWoo
b0Nyl6jtBIiRuUJ0UdyIH16cGm2toLIWlDR8c/Sqs0R4LKiMb+8tKHFGnGxV
/HUr/raLf1QTn+6AHHkAUuQhyJBH6zxrAPPc8q/hTMMt0eya5XuzOCu06Lkx
QgcGQIucW7d86ynqztUPbP2mAK8shprb1dTIxdLn0vmaDWp1/7XounXrBRlW
nkRGmC3Mt3WkmpFn7o7LyLNqgCuFmp0Q/09SzXZlqVSzpaqkGkHkGAB+b918
xRCbcaIkomutkXIs0ZgM5RWooaBTS2tsosCRNu4iOHiGrFIzMvBom1iNLYNl
LKma59czlfvyT1jDZb3X9QxaJZDMykW7NMVhWJs026UQtN6wI30AvgusbHkv
6b+tXD3WsQjaRox2UN6Iofm1wnp+rsPY0N8JvWUM9gXwAZmiYOvPEQfACDMM
CEKdFTcQJyB08QU8h0YxagRXHHzzQ/5mgMKX2EkMBqLZM5CmMsG4peO85Im8
DmPpE3HFybloPjRlF9gNdnr6FZq80kxOZ6K5Y7Ekge/8jmc6homQyS1LOhzG
vkYi2J6U/QSGSjNGs6V/MD2asGvC6arnin6l+21flgz35DswbRPfHLMZEo24
RxZL0Tz+7mjTGFdPqjYjzatJnLIVFKZZydmGzZrVffHTrXi2XfFs5/ZrvHn2
AYLXCuD+zavH2zcnNz/AEjCg9fyYFwNgGBbxGt8yz9zF4uNgsWR5y1my/nP3
WKQla2paY00tY/H4A/9KtKC412A4Z2O2xmFQwiEt0WIpOYXowGdpgY84qAWR
IJrGN13Wqu4Oi5MltNCihyiyhBbLQNAHtmNLP8ux4FYK4s/5rWXendACRM6J
eFwwhPXhd2kJW9xYzjA8Qytjdn02Jqa6cOqNd1/E5Bcx+UVM3mpQf3ExOVhC
C621LyfHzVIQYrmMvcOOnO5XwmZ18LujFbSEz/6dY1GrZZYVy7vGAmTnAOR7
wX9SIfDh6Sk8Nap0hfzHSH29ADg7NH1yYNkC4Ho3nvJ26NCwdapjWeloDZ58
45NJAZ0dQX+5jT7IwzThvY7ULLrhUxUqD585+658/sBL9Oyn7PKtiydFHE24
NLbY4riAvHGz+8wx4Ep6j0vx14NjPqGAu+71msMoUwr7aAaRF85t9P5yz/Rm
qxTAugo5DKguIkfbJR0CA3iyP0kl7KqOrk1Mq19Bz9w6ppWAiiC6PF4C9ktf
L8aBzaP8d7kF3pxnZIWwzs4SfDyFUORj7lKpGDq/GEdr68hPZ1UEy6CFdxEd
jnpzj++YwKehuo4ByhXGiwEfC2Rk2xSbOE7wGFJkYvCMUflU4fbSeqDaCf5G
qxWefqQKWIqe8lij7aiFLh7ekG8CfejADg1chAFO+QnKq8BTuU2IAhjykByM
a6JgGcs0etgpJseOp21Px2l61x6eTDHnQwI0hDH7hGySYn6XC7FZOopCUUgf
RnaRPYGq5CYdCgJCGlGsL8D3g/QnCt6cxTFG6mKYJeBpWdYNCtPHcAoxnwSY
woCRzm6ToySeEvoyRbMXNIhNrPInDk6sQYrjVGagmPsLpqliaGAhBsidNzA7
rKmCTwz6JsASwzs53sWxQpMZKIy5yE/zNHNHajE8plM4J2Bmz+JhlVbNwY+W
oBik6nMUpbh1joBHIuvDB4UjByCogumMBbAOuiVSYfnFEwhVZ8xGpVAqLcaR
kdi1XRGyo2Nx7akfbnMqM29iozOd19bdM6jw97juL5qu3jKPcb0DuAt7kY/g
AOYnW19p7P03XxzAn2DHfgEHsFfjAR7cvQt4UHKX3Mb7W1XKBqlubG2gsTn3
lFSIuI/n9K2SAiu8vt5vxe0LXQFhgzQKvrh9P5/O/7Ju31q/r7fK8btamL2v
53e5LFvT6XvXwuwOfL0V3tVDu+Hipq2jlXRFrFfWOPFQhiLQ3Wpf56v3cGom
ylMMO1F0gp9N2+hbfGDqassC+Sybe+apVuKahszWJ9nLH5RRt83aUxQ6cry5
02W4ZY9k32qU6Dle4VwcsDkpB76Ogedz9BwCRqSIojRxR68oWvUI3pX8crBw
IC43RtN5lsgv2qI/upNJN4kZm2rL3JG5rx4LPd/oMHRab4ndvwvDfC0WrvFE
b5orMbkTLPo33foxcaVB3eejGaNz2bHSFP2RjNFrCqs7xmI956NYbosG/UBF
nlEQ+GClVgronAstZM5KQIH5j0VX26KLy+FLxwL5/gvi1n5p+XgeR6r6OG3f
nGlWb3AFJMA1a8nK06lf1qESX31Zh2qwKH5+wXWoHotfch2qxeIXXoe2vqxD
NVi8p0v07tahW6075K9675VnS688Cz6gQe4EgjWDzga7p9m1N8E9Ob3U4L+O
d4YOHMZTcoUKNHHgFmoqIzkm6zynAyy6o97xqWk85E4n2fk0OnlKXkY6LYdz
eP4JhbrasxMmsUFxnM+BMFSQ9+lEyupUkc4Bb0MQOhGWBFNMW7aqUkf086nu
4FNXPhV5FhbjSss37YXI0mpINsFciYt5dS7AnsFenw+bA63YpU6b5kbDmCb8
GDOfxJnxw7IGwQfkcIfNDnCZJ2whqSrS4GcY6iNKXuGiQAktMhtzyzv0nL7Y
kPEeziNK7eTkhyNv3Hge6NxtehHVB1XnuLCEdPLe6kM2MRFmng00v9FILyY3
YLdaORtBnj/SoTdxQQrETkfXpZwYXt4WKGY3QM9EThXOpxtxzKls4NsrMqfc
wPv+xXH/B3wn3wTT+XRBHug+3uSOvUzgGciMTreysQfhPL84PnqOxTDX1XzK
aaH4QL8FkdcgQ3vhcKxoGqPUpoFXwOtD4Z2U4OX6twW3/WP3wSLAH/H4byXI
QQmkc4jZwuRm3UPPUBUEqis/XfYwbMEDjUKz7y7TeixxaNvikGA3p4ZCHGkH
3Oj6V+0R+JS8xiBUN/d1TZgZ2z/29oqsuP3jTjd3NXZKPEruShuPQsk6gVFs
+o48yIByKKFEnqG+RULVnsUncxfGBLTFQV0XfLWiC09KHsmS8/Mg7+GD3nop
Dpwq3e4eoFdqorU6SaygYyGwiGCWJRQ0M511N4UxAboABzPp//o/mjPu4+ny
v//XvyGejzrie5zoXASIQKODdD3Jn1gW1aeCORNyJdjHBNSkZmNxEVBKCcpI
BPIKBOSI0rE66UNtCjd9Pkbrhi0NWeeXCYDF+CS0jvHwucOWsxIFeGGIi+fF
CQpZzAAau4WqaQAVp3jGxuLrm7y2K0I1nJalNzH5Q8qDzlQrZMWjpcLJHir+
97/F3//j32GnhmI3npuVhyMIMDO1na8tZ3TyHbErMq4WBpSXhJp8OnjYZ3Wu
HZMdnOcfRQDYIKW6rDo63KMyN48JGCpkIi2FN9hghWKU18XJ6RMBeIlChjon
yXYO20lqWp3TdEWDHLm1pEFMIE+Jmp/o3IrrJDVBUNSUIaZljiIlNRPqtIfo
ETKxGqU0J9xhTVxySFS6TVHObPOpJeaIs/mUtDlgE1PGvcDBHgu7r5WF88Ky
X01DJ1srYYHkLOkSpCQ8x8CoG2K8M5wMN6Sc8lfUEWoSvN6InNFvhP1aXwcW
7GKdog5Rl8G1VKdXWaeUsPUmT9hRj1spQ2uxTg1upYyspTqLuFUlYF2JXFW2
1ZXYVWVWrUcvV0Kq2W1REykqkzVMgdgc5xs4R1djL5ZbgGaHLfFoNy9QJwJv
yqLHTeePFbVOxLn+b3gFrVGHisUHujxoP0vKH2iVD7WKOh3FjEd97mUA0LPU
KCqDFRQdUKpsHpY1hwG55cs4rDMOeWdXjAOQ9DYD0fsyEOsNhEk/vsZI9NYd
ieKSUDcQGHh+VwPh6CiOSvKrGoilkqlI0VsMwxLJ9GUc1pdMJZLeZiDqJdOX
gXgPyVSi6RojUaEQ3n4kzB7iVzIU3e7exxFOFUS9zVB8kHj6jY1FrYCqouqt
BuNDRNRvbDDqhVQVWcujcS9Py43G6MDXV3KlC3kZTbn2QF/Plo9jWrZJmKw5
bXOVm2PAFlM+uyMmCJzNiJTBnizbJQtKC5NHvlZ0vhHTZbdyK6CuJQBhcpSg
9zGKRRhHaLtkz1zHgFxMtk1GnTBkU5kxZ+tzUbYRp2Wq8P6N51mUjRkz9oA2
2gQVcCCvOZYFVKa8PjUOTuOH04eMnLxAJq7z9MXgTzd/uqETawbXVF6aGwWL
Z+oIP+eUF1Xw0LSLRNdZ32tQ0Wa2WkwqfLGFvnYWGkavIEb/TpXOsMnZok32
aptT0/UH89kuWXIdU7+MZcNQgQyndBUduZPa0NQMr90jZs3w/+LZPTq0pws7
B+kMJHqsr1ysyMyfX8BhChYuZ3Omu60BkyTsYASVp3h47EVY8yjAxEn51Wb6
lAba6MwNAQv+ZZ6RhgqOD6rohKXLvGiYZSSMiagjXkZh8FoZF0jLwrEHSG9z
35q9Gsw9JIfmSkpZi2Xdq8dswn3p3EDm0prvjqy8N5KmvD5apy+4Mi3aO7DM
nY14RZmb52sqkzE5IVzE6KI2DowmXrc3WHbEUd3RPhwXR1DL3Ltqo9cjNY4z
fuZab3NRg6OUJXMKx8c5R+dxfQNau875HskTe49k7kAvMD+1unDpJNOKOlVO
3EGXVJbSt7XMzHeEQcvSEl8MZcqHCaraekJ9kEgyknaLd2DmoQiYpEvxsow3
u9qs4Pp6VzL3U/c5532jUR4JzeksdelSUu0vIjcRMiIt2kCB2NzTxF0IpsBt
dFQXa+I5V1gWgpTuHNQJ9i/xzjxz5x0VU28Q8bE5ZK2PzV7hTX+0gHjXBiFa
AHTmAJkxb3XFJJ4n7HXe2WJX0s5D50iFT/nYyJ+neDymaKnFJH1Mh2M8N+Gh
dx7J9HUSSx9/YWgBurLGEzuJY7ydKdWX6LmsT0Jg8bpXnrsBXwYSZ3zlJF0d
aJuEskPTopGneE2FGKEIL99KifLBpNPDM800wWhcYBYEFJvDso8zfDsXUnp0
Hl5LfCN4MvRWkiTPD8Q6oNDnZY4A0zFwcnudKbo7lnjuQWcXSbzax4s0Gc0T
PiDBVz506Fra/vN+lfp0cP7srM2JmO1XfY/qw11M9mBuBuQFNJ8F+mZaFC8I
mlybMDlTnfMhUeOAVrtiAEgdFHtdHxa4qL2z77F4u/Vma6slzr8+6L5bWhxv
gHOLb68o3isW31ksXr50zy3eW168jMyDFcVLyOwWi1c5bdziD1cUB2zc4nur
ivcKxR+9yzPjn+lrljhbhatB29uZFgebHH+F9Iwrh57O4PH6sxgkWSrtlMW0
+Vqp0NWMXdsthEp8oZTeO1IZCQv3Be5tLnIFBUsZt1jDxEheGDXJQfD5y2fP
8gILyECB+/38fbGBwnsTghIGI4WauilgZDNt5QrH73nzYF/DztDN0dlYMXU+
PXp3tz9ngvc+QYL3PjOCF8T3Sno7pZfS29h6vgiUpcvfp0fvz06gFBWIT5Dg
n5NAWVTBlhLcFr9Tqhsr8m9GrlRosp8q2T8r8VKxJfhk6f4rlzLmuqnjo+8O
/4jX0+oYZRmZXHEcQ7O3s/XuXat67y19v7Tt1jn+N5yjT3nyvSaft9ja3BDp
fMgb9+SaQi8JNazUEX1b3h7QwDus5TzEawfZAs4l0Z/1zLh+TBE0/3YocNO8
IsdRHiJ/Q3v6rVI4pb0uDIsbtioE63K9bimW0KmXe5yIpu7xr7xPp9xrm5uE
ToMVd7MvTXiqHhqGpg/26LsQnduJ5TTAoHJ9GgG+2ghnx1dYfZg4z3emfWsu
7SvRLzwu0N9eVVZB/Lq42eKw3CaKth7CujG1SyCsGWFbhHCbeNt6COtG3y6B
sG4sbg3T3ypEdw1Ya0furgOrMqD3WM5m5FKj+eNMMhBSBk6R61Oake12m5x1
aM3se6+j+CpU/pjOSQJ0dggo//HGSIapMvmFcHLFAPuKrrYjjxHJQhm9tncz
4vt4RHlBHz7s9lriQF4Gvjj2vknUFU3R79RlEImjcazQvo2XTph7aPML0Pn0
hTnnp88ShVAWpz5butiRYZqkM5uVmKy08rbEMbycAHYDOZ3JcSRbQC31RtLp
cTrxFV/y8Y9v40mE51rnf/sLVUKILZJnZNg1Vmd79CG/cvz/AMQ99R/lkgAA

-->

</rfc>

