D2SWelchSes23

volleyballbeginnerNetworking and Communications

Oct 27, 2013 (3 years and 11 months ago)

78 views

Presents

IMTC/Wainhouse Research
European Forum 2003

Secure Multimedia Service Deployment

Steve Welch

Ridgeway Systems & Software

Reading, England

Tel: +44 1189 381123

Email: steve.welch@ridgewaysystems.com

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

Agenda


Example deployment (H.323)


Security issues


Security solutions


H.235 detail


Summary



IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland





H.323 Service Deployment

Service Center

(DMZ)

FW

NAT

Enterprise B

Traversal

Site Client

GK

Traversal

Server

Public Endpoints

Road Warriors

Traversal Client

Phone

GW

FW

NAT

Enterprise A

MCU

FW

NAT

H.235 GK

Rogue Client

Authorized Client

VPN Client

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

Security Issues


Secure Connectivity


Port restriction/filtering


Restrict users to just the Multimedia service


Guard against attacks on other services


Service access


Authentication


Verify that the user is who they say they are


Guard against non
-
subscribers and masquerading


Message integrity


Verify that entire communication setup is performed by the same user.


Guard against interception


Privacy



Encryption


Disguise media communication


Guard against snooping on conversations


IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

Security Solutions


Secure Connectivity


Firewall/NAT


ALG


VPN


Traversal


Service access


H.235 Annex D (baseline security)


HMAC
-
SHA1 hashed shared secret


Checked time
-
stamps


H.235 Annex D (baseline security)


HMAC
-
SHA1 hash of Q.931 message fields


Verify that entire communication setup is performed by the same user.


Guard against interception


Privacy



DES, AES encryption algorithms


Diffie
-
Helman key exchange


IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

H.235


Security for H.323


Provides cryptographic protection of control protocols
(RAS, H.225.0 and H.245) and audio/video media
stream data


Allows negotiation of cryptographic services,
algorithms and capabilities


Facilitates interoperable security profiles


Details integrated key management functions / secure
point
-
to
-
point and multipoint communications


Incorporates sophisticated security techniques (Elliptic
curves, anti
-
spamming & AES)


Designed to allow use of existing Internet security
packages and standards
-

(IPSec, SSL/TLS)


Recommendation H.235 version 2 released in 11/2000

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

H.235 Security Protocol Architecture

AV

Applications

Audio

G.711

G.722

G.723.1

G.729

Video

H.261

H.263



Encryption






RTCP

H.225.0

Terminal

to

Gatekeeper

Si gnaling



(RAS)


Terminal Control and Management

Data

Applications

Security

Capabilities

Security

Capabilities

T.124






T.125

Unreliable Transport / UDP, IPX

Reliable Transport / TCP, SPX

Network Layer / IP /
IPSec


Link Layer /......


Physical Layer / .....

T.123

Scope of H.323

Scope of H.235

TLS/SSL

Multimedia Applications, User Interface

TLS/SSL

Authenti
-

cation

RTP

Scope of T.120

H.225.0

Call

Si gnaling

(Q.931)

H.245

System

Control



IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

H.235 Annex D

Voice Encryption Profile

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

Voice Encryption Profile


Supports media encryption (RTP payload) end
-
to
-
end


Allows different crypto algorithms and modes


Allows different key management options


Tight interaction of encryption function with media
codec/DSP possible


RTP header remains in clear supporting IP/UDP/RTP
header compression


Crypto algorithms, modes and parameters are
negotiated by H.245 signaling.

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

H.235 Media Encryption

Ethernet

IP

UDP

RTP Header

Ethernet

P

0

X

CC

Payload

Type (PT)

sequence

number

timestamp

SSRC

V

2

12 Bytes

encrypted

A/V payload


RTP payload

(

padding)

padding

bytes

padding

length

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland

Summary


Secure deployment is possible


Key for H.323 is H.235


Similar techniques can be applied to other
areas


SIP, Wireless


Vendors are working in these areas, so that the
technology will be available when the
requirement appears.


When will that be…now?

IMTC/Wainhouse Research European Forum


May 2003


Geneva, Switzerland