Friday

H.235 Security Mechanisms


H.235 is expected to operate in conjunction with other H-series protocols that utilize H.245 as their control protocol and/or use the H.225.0 RAS and/or Call Signaling Protocol. H.235’s major premise is that the principal security threat to communications is assumed to be eavesdropping on the network, or some other method of diverting media streams. The security issues related to DoS attacks are not addressed.
This family of threats relies on the absence of cryptographic assurance of a request’s originator. Attacks in this category seek to compromise the message integrity of a conversation. This threat demonstrates the need for security services that enable entities to authenticate the originators of requests and to verify that the contents of the message and control streams have not been altered in transit.
Authentication is, in general, based either on using a shared secret (you are authenticated properly if you know the secret) or on public key-based methods with certifications (you prove your identity by possessing the correct private key). The basis for authentication (trust) and privacy is defined by the endpoints of the communications channel. For a connection establishment channel, this may be between the caller (such as a gateway or IP telephone endpoint) and a hosting network component (a gateway or gatekeeper). For example, a telephone “trusts” that the gatekeeper will connect it with the telephone whose number has been dialed. The result of trusting an element is the confidence to reveal the privacy mechanism (algorithm and key) to that element. Given the aforementioned information, all participants in the communications path should authenticate any and all trusted elements.
Encryption methods are defined as DES, 3DES, and AES. TLS (Transport Layer Security) and IPSec (IP Security) are recommended to secure layer 4 and layer 3 protocol messages, respectively. IPsec and TLS provide solutions at different levels of the ISO model—IPSec in the Network Layer, and TLS in the Transport Layer. Both use the same type of negotiation to set up tunnels, but IPSec often encrypts crucial header information, and TLS encrypts only the application payload of packet, thus TLS encryption retains IP addressing.
The scope of the H.235 specification is shown in Figure 1. H.235 addresses the protocols that are shaded in gray.

 
Figure 1: H.235 Scope
Let’s look at how the H.235 specification interacts with each protocol.
  • H.245 The call signaling channel may be secured using TLS. Users may be authenticated either during the initial call connection, in the process of securing the H.245 channel, and/or by exchanging certificates on the H.245 channel. Media encryption details often are negotiated in private control channels determined by information carried in the OpenLogicalChannel connection.
  • H.225.0/Q.931 Q.931 can be secured via transport-layer security (TLS) or IPSec prior to any H.225.0 message exchange.
  • H.225.0/RAS During the RAS phase of registering, the endpoint and the gatekeeper can exchange security policies and capabilities to define the security methods to be used in the initiated call session.
  • RTP/RTCP H.245 signaling messages are used to provide confidentiality for a secured RTP channel. The method uses H.245 capability exchange for opening secured logical channels as part of the H.245 capability exchange phase, DES, 3DES or AES. The security capability is exchanged per media stream (RTP channel). The security mechanisms protect media streams and any control channels to operate in a completely independent manner.
H.235 specifies a number of security profiles. You can think of each security profile as a module consisting of a set of terms, definitions, requirements, procedures, and a profile overview that describe a particular instantiation of security methods. Security profiles, which are optional, may be implemented either selectively or in almost any combination. Endpoints may initially offer multiple security profiles simultaneously using the aforementioned RRQ/GRQ messages. H.235 also explicitly defines particular combinations of profiles that are useful or possible. For example, H.323 shows that the baseline security profile can be combined with SP4–Direct and selective routed call security, SP6–Voice encryption profile with native H.235/H.245 key management, and SP9–Security gateway support for H.323.
Profiles can be differentiated by the spectrum of security services each particular profile supports. The following security services are defined: Authentication, Nonrepudiation, Integrity, Confidentiality, Access Control, and Key Management. For example, the baseline security profile supports the security services shown in Figure 2.

 
Figure 2: Baseline Security Profile Security Services (H.235.1)
You can see that this profile provides for authentication and integrity of the signaling streams but does not provide support for encryption, nonrepudiation, or access control of these streams. The baseline security profile (H.235.1) specifies the following: Authentication and integrity protection, or authentication-only for H.225/RAS, H.225/Q.931 messages, and tunneled H.245 messages using password-based protection. The security profile is applicable to communications between H.323 terminal to gatekeeper, gatekeeper to gatekeeper, and H.323 gateway to gatekeeper.
The following Security Profiles are defined:
  • 235.1 Baseline security profile
  • 235.2 Signature security profile
  • 235.3 Hybrid security profile
  • 235.4 Direct and selective routed call security
  • 235.5 Framework for secure authentication in RAS using weak shared secrets
  • 235.6 Voice encryption profile with native H.235/H.245 key management
  • 235.7 Usage of the MIKEY key management protocol for the Secure Real Time Transport Protocol
  • 235.8 Key exchange for SRTP using secure signaling channels
  • 235.9 Security gateway support for H.323
Each security profile defines security services in the context of the generic classes of attacks that can be prevented by implementing that particular profile. In the case of the baseline security profile, the following attacks are thwarted.
  • Man-in-the-middle attacks Application level hop-by-hop message authentication and integrity protects against such attacks when the man in the middle is between an application level hop.
  • Replay attacks Use of time stamps and sequence numbers prevent such attacks.
  • Spoofing User authentication prevents such attacks.
  • Connection hijacking Use of authentication/integrity for each signaling message prevents such attacks.
Other threats are not addressed in this profile. For example, the issue of confidentiality via encryption is left to other security profiles. Thus, any H.323 system that uses only this profile will be subject to attacks that rely upon data interception by sniffing traffic. If however, the endpoints that specify the security profiles available to the system indicate that they support SP6–Voice encryption profile with native H.235/H.245 key management, as well as the baseline security profile, then the threat posed by eavesdropping attacks will be minimized.
The matrix describing the security services provided by security profile H.235.6 is shown in Figure 3.

 
Figure 3: Voice Encryption Profile with Native H.235/H.245 Key Management
In Figure 3 you can see that the addition of security profile H.235.6 to the baseline security profile adds methods for Diffie-Hellman key management and encryption of the media streams. In this fashion, security profiles can be added to the H.323 entities within your environment so as to provide only the security controls dictated by your security requirements. This approach allows some customization of the H.323 security controls so that, for example, they can be configured to work with your particular existing firewall infrastructure. 
Related Posts with Thumbnails

Link Exchange