[VOIPSEC] H.235, substandard of H.323
Robert R. Gilman
rrg at avaya.com
Mon Dec 18 21:46:06 GMT 2006
Briefly, Communications Manager (CM) gatekeeper supports two types of
1. From the time of our intial release, we've supported a variation of
H.235 Annex D in which the endpoint answers a challenge presented by
the gatekeeper in the GCF. We don't have the endpoint validate the
gatekeeper. The encryption algorithm is DES56-ECB and the key is
constructed from the user's PIN. In this profile, media encryption
keys are distributed under the same key and algorithm in the H.235.0
H235Key element with the sharedSecret CHOICE.
2. We've added support for an H.235.5 profile which uses an encrypted
Diffie-Hellman key exchange to derive a shared secret that's much
stronger than the user PIN. When this profile is in use, media
encryption keys are distributed under AES-128-CM encryption, and all
signalling is authenticated via HMAC-SHA1-96. H235Key is used with
the secureSharedSecret choice. The profile is nominally the same as
SP1 (and we will support SP1), but we identify it with an Avaya OID
to indicate that our proprietary signalling is also encrypted under
SRTP requires support of H235Key.secureSharedSecret and SRTPKeys from
H.235.8, and it fits right in with the above schemes with the following
change: in SRTP, each transmitter supplies its transmit key; in the other
schemes, the H.245 master supplies all the keys. Also, since we don't
bulk-encrypt our signalling channels, we encrypt the ASN.1-encoded SRTPKeys
before putting it in the genericKeyMaterial of V3KeySyncMaterial; the
algorithmOID and paramS carry the requisite encryption info.
Does this answer your question?
Bob Gilman rrg at avaya.com +1 303 538 3868
> Would you please give a brief introduction on the H235 support by
> Avaya's VoIP products?
> e.g. in their 87xx/85xx/83xx and G series.
> - Richard
> - Lenovo GIS
> On 12/12/06, Robert R. Gilman <rrg at avaya.com <mailto:rrg at avaya.com>> wrote:
> As I recall, the change was made in H.235 version 4 which was the first
> version called H.235.0. It contains Appendices (non-normative) which
> detail which Annexes (normative) were mapped to which H.235.x documents.
> Grab a copy from www.packetizer.com <http://www.packetizer.com>.
> Bob Gilman rrg at avaya.com <mailto:rrg at avaya.com> +1 303
> 538 3868
> Michael Billerbeck wrote:
> > Hello all members of list,
> > version 6 of H.323 was officially approved in June 2006.
> > H.235 is the substandard for security in H.323 and there are
> several documents/parts:
> > H.235.0 Security framework for H-series
> > H.235.1-5 cover signaling security
> > H.235.6-8 cover media stream security
> > H.235.9 Security Gateway Support for H.323
> > There have been annexes D-I for security before.
> > But when exactly was the change from these annexes D-I to these
> "parts" H.235.0-9? Was it from H.323 Version 5 to Version 6 or was
> it already before?
> > It's also said that "security-related documents have also been
> significantly enhanced and the H.235 document was entirely
> > Are there more details? I only know that "support has been added
> for SRTP".
> > Thanks in advance,
> > Michael
> Voipsec mailing list
> Voipsec at voipsa.org <mailto:Voipsec at voipsa.org>
More information about the Voipsec