[VOIPSEC] H.235, substandard of H.323
Robert R. Gilman
rrg at avaya.com
Tue Dec 19 15:53:35 GMT 2006
The permitted security profiles are administered by Network Region.
CM always prefers the stronger algorithm if it's offered by the
endpoint and permitted by administration.
WRT firewalls, neither profile hides media addresses and such; basically
they only encrypt the media encryption keys. So a firewall should have
no trouble with them. If the device is also a NAT, the challenge/response
profile is unaffected, but the H.235.5 profile requires H.235.9 (or some
proprietary protocol) between the NAT and the gatekeeper in order that
the session authentication key may be shared. (We haven't implemented
H.235.9 at this point.)
Bob Gilman rrg at avaya.com +1 303 538 3868
> thank you very much. they are very clear.
> two more questions: CM supports two security profiles, does it mean by
> the security encryption is turned on for the communications? what kind
> of support
> it need from firewalls between the two parties?
> - Richard
> - Lenovo GIS
> On 12/19/06, Robert R. Gilman < rrg at avaya.com <mailto:rrg at avaya.com>> wrote:
> Briefly, Communications Manager (CM) gatekeeper supports two types of
> "security profiles":
> 1. From the time of our intial release, we've supported a variation of
> H.235 Annex D in which the endpoint answers a challenge presented by
> the gatekeeper in the GCF. We don't have the endpoint validate the
> gatekeeper. The encryption algorithm is DES56-ECB and the key is
> constructed from the user's PIN. In this profile, media encryption
> keys are distributed under the same key and algorithm in the H.235.0
> H235Key element with the sharedSecret CHOICE.
> 2. We've added support for an H.235.5 profile which uses an encrypted
> Diffie-Hellman key exchange to derive a shared secret that's much
> stronger than the user PIN. When this profile is in use, media
> encryption keys are distributed under AES-128-CM encryption, and all
> signalling is authenticated via HMAC-SHA1-96. H235Key is used with
> the secureSharedSecret choice. The profile is nominally the
> same as
> SP1 (and we will support SP1), but we identify it with an Avaya OID
> to indicate that our proprietary signalling is also encrypted under
> the profile.
> SRTP requires support of H235Key.secureSharedSecret and SRTPKeys from
> H.235.8, and it fits right in with the above schemes with the following
> change: in SRTP, each transmitter supplies its transmit key; in the
> schemes, the H.245 master supplies all the keys. Also, since we don't
> bulk-encrypt our signalling channels, we encrypt the ASN.1-encoded
> before putting it in the genericKeyMaterial of V3KeySyncMaterial; the
> algorithmOID and paramS carry the requisite encryption info.
> Does this answer your question?
> Bob Gilman rrg at avaya.com <mailto:rrg at avaya.com> +1 303
> 538 3868
> ZhaoL wrote:
> > Bob,
> > Would you please give a brief introduction on the H235 support by
> > Avaya's VoIP products?
> > e.g. in their 87xx/85xx/83xx and G series.
> > - Richard
> > - Lenovo GIS
> > On 12/12/06, Robert R. Gilman <rrg at avaya.com
> <mailto:rrg at avaya.com> <mailto:rrg at avaya.com
> <mailto:rrg at avaya.com>>> wrote:
> > Michael-
> > As I recall, the change was made in H.235 version 4 which was
> the first
> > version called H.235.0 . It contains Appendices
> (non-normative) which
> > detail which Annexes (normative) were mapped to which H.235.x
> > Grab a copy from www.packetizer.com
> <http://www.packetizer.com> < http://www.packetizer.com>.
> > -Bob
> > ----------------------------------------------------
> > Bob Gilman rrg at avaya.com <mailto:rrg at avaya.com>
> <mailto:rrg at avaya.com <mailto:rrg at avaya.com>> +1 303
> > 538 3868
> > Michael Billerbeck wrote:
> > > Hello all members of list,
> > >
> > > version 6 of H.323 was officially approved in June 2006.
> > > H.235 is the substandard for security in H.323 and there are
> > several documents/parts:
> > >
> > > H.235.0 Security framework for H-series
> > > H.235.1-5 cover signaling security
> > > H.235.6-8 cover media stream security
> > > H.235.9 Security Gateway Support for H.323
> > >
> > > There have been annexes D-I for security before.
> > > But when exactly was the change from these annexes D-I to
> > "parts" H.235.0-9? Was it from H.323 Version 5 to Version 6
> or was
> > it already before?
> > >
> > > It's also said that "security-related documents have also been
> > significantly enhanced and the H.235 document was entirely
> > restructured."
> > > Are there more details? I only know that "support has been
> > for SRTP".
> > >
> > > Thanks in advance,
> > > Michael
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org <mailto:Voipsec at voipsa.org>
> <mailto:Voipsec at voipsa.org <mailto:Voipsec at voipsa.org>>
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec