[VOIPSEC] H.235, substandard of H.323
hi2005 at gmail.com
Tue Dec 19 12:00:49 GMT 2006
thank you very much. they are very clear.
two more questions: CM supports two security profiles, does it mean by
the security encryption is turned on for the communications? what kind of
it need from firewalls between the two parties?
- Lenovo GIS
On 12/19/06, Robert R. Gilman <rrg at avaya.com> wrote:
> Briefly, Communications Manager (CM) gatekeeper supports two types of
> "security profiles":
> 1. From the time of our intial release, we've supported a variation of
> H.235 Annex D in which the endpoint answers a challenge presented by
> the gatekeeper in the GCF. We don't have the endpoint validate the
> gatekeeper. The encryption algorithm is DES56-ECB and the key is
> constructed from the user's PIN. In this profile, media encryption
> keys are distributed under the same key and algorithm in the H.235.0
> H235Key element with the sharedSecret CHOICE.
> 2. We've added support for an H.235.5 profile which uses an encrypted
> Diffie-Hellman key exchange to derive a shared secret that's much
> stronger than the user PIN. When this profile is in use, media
> encryption keys are distributed under AES-128-CM encryption, and all
> signalling is authenticated via HMAC-SHA1-96. H235Key is used with
> the secureSharedSecret choice. The profile is nominally the same as
> SP1 (and we will support SP1), but we identify it with an Avaya OID
> to indicate that our proprietary signalling is also encrypted under
> the profile.
> SRTP requires support of H235Key.secureSharedSecret and SRTPKeys from
> H.235.8, and it fits right in with the above schemes with the following
> change: in SRTP, each transmitter supplies its transmit key; in the other
> schemes, the H.245 master supplies all the keys. Also, since we don't
> bulk-encrypt our signalling channels, we encrypt the ASN.1-encodedSRTPKeys
> before putting it in the genericKeyMaterial of V3KeySyncMaterial; the
> algorithmOID and paramS carry the requisite encryption info.
> Does this answer your question?
> Bob Gilman rrg at avaya.com +1 303 538 3868
> ZhaoL wrote:
> > Bob,
> > Would you please give a brief introduction on the H235 support by
> > Avaya's VoIP products?
> > e.g. in their 87xx/85xx/83xx and G series.
> > - Richard
> > - Lenovo GIS
> > On 12/12/06, Robert R. Gilman <rrg at avaya.com <mailto:rrg at avaya.com>>
> > Michael-
> > As I recall, the change was made in H.235 version 4 which was the
> > version called H.235.0. It contains Appendices (non-normative)
> > detail which Annexes (normative) were mapped to which H.235.xdocuments.
> > Grab a copy from www.packetizer.com <http://www.packetizer.com>.
> > -Bob
> > ----------------------------------------------------
> > Bob Gilman rrg at avaya.com <mailto:rrg at avaya.com> +1 303
> > 538 3868
> > Michael Billerbeck wrote:
> > > Hello all members of list,
> > >
> > > version 6 of H.323 was officially approved in June 2006.
> > > H.235 is the substandard for security in H.323 and there are
> > several documents/parts:
> > >
> > > H.235.0 Security framework for H-series
> > > H.235.1-5 cover signaling security
> > > H.235.6-8 cover media stream security
> > > H.235.9 Security Gateway Support for H.323
> > >
> > > There have been annexes D-I for security before.
> > > But when exactly was the change from these annexes D-I to these
> > "parts" H.235.0-9? Was it from H.323 Version 5 to Version 6 or was
> > it already before?
> > >
> > > It's also said that "security-related documents have also been
> > significantly enhanced and the H.235 document was entirely
> > restructured."
> > > Are there more details? I only know that "support has been added
> > for SRTP".
> > >
> > > Thanks in advance,
> > > Michael
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org <mailto:Voipsec at voipsa.org>
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec