H.235Authentication, Integrity and Encryption

Adi RegevSr. DirectorSales Engineering &Customer Support

2

OverviewOverviewH.235H.235

3

H.235 Annex DH.235 Annex D

Baseline Security Profile (H.323V4 Scope)

Provides Authentication or/and Integrity

Hop-by-hop processing

Password based security

Shared Secret-Key

Digest (Hashing) Algorithm - HMAC-SHA1-96

4

(Voice) Encryption Security Profile (Voice) Encryption Security Profile

Applicable for any RTP Stream

Depends on (part of) H.235 Annex D

Uses DH (Diffie-Hellman) secret key for session keys distribution

Mechanism for Session-Key update and synchronization

Encryption Algorithms - DES, Triple DES, RC2

Anti-Spamming protection

5

H.235 Annex EH.235 Annex E

Provides Authentication or/and Integrity

Signature Profile – Public Key Infrastructure (PKI)

Certificate Based Security

Scalable - applicable for “Global” IP Telephony

Hop-by-Hop and End-to-End security

Digest Algorithms - MD5 or SHA1 signatures

6

H.235v3 Annex FH.235v3 Annex F

Hybrid Security Profile

Uses Annex E signatures (when required)

Uses Annex D otherwise

More secure than Annex D

More lightweight than Annex E

Scalable - Applicable for “Global” IP telephony

7

StatusStatusH.235H.235

8

H.235 StatusH.235 Status

The Good News…

RADVISION ECS supports H.235 Annex D (Basic Profile) Authentication and Integrity

On the roadmap - Encryption and Annex E

The Bad News…

No Multimedia Endpoints (to date) support H.235

Some are working on it or provide proprietary authentication

Workarounds exists – Pre-Defining EP’s, Using LDAP for authentication, etc.

www.radvision.com

adi@radvision.com