H.235 is the security recommendation for the H.3xx series systems. In particular, H.235 provides security procedures for H.323, H.225.0, H.245 and H.460 based systems. H.235 is applicable to both simple point-to-point and multipoint conferences for any terminals which utilize H.245 as a control protocol.
The scope of H.235 is to provide authentication, privacy and integrity for H.323 based systems. H.235 provides a means for a person, rather than a device, to be identified. The security profiles include: 1) a simple, password-based security profile; 2) a profile using digital certificates and dependent on a fully-deployed public-key infrastructure; and 3) combines features of both 1) and 2). Use of these security profiles is optional.
H.235 includes the ability to negotiate services and functionality in a generic manner, and to be selective concerning cryptographic techniques and capabilities utilized. The specific manner in which they are used relates to systems capabilities, application requirements and specific security policy constraints. H.235 supports varied cryptographic algorithms, with varied options appropriate for different purposes; e.g. key lengths. Certain cryptographic algorithms may be allocated to specific security services.
H.235 supports signalling of well-known algorithms in addition to signalling non?standardized or proprietary cryptographic algorithms. There are no specifically mandated algorithms; however, it is strongly suggested in H.235 that endpoints support as many of the applicable algorithms as possible in order to achieve interoperability. This parallels the concept that the support of H.245 does not guarantee the interoperability between two entities" codecs.
Protocol Structure
H.235 recommended many messages, procedures, structures and algorithms for the security concerns of signaling, control and media communications under H.323 architecture. Here is a summary of the definitions:
- The call signalling channel may be secured using TLS [TLS] or IPSEC [IPSEC] on a secure well-known port (H.225.0).
- Users may be authenticated either during the initial call connection, in the process of securing the H.245 channel and/or by exchanging certificates on the H.245 channel.
- The encryption capabilities of a media channel are determined by extensions to the existing capability negotiation mechanism.
- Initial distribution of key material from the master is via H.245 OpenLogicalChannel or OpenLogicalChannelAck messages.
- Re-keying may be accomplished by H.245 commands: EncryptionUpdateCommand, EncryptionUpdateRequest, EncryptionUpdate and EncryptionUpdateAck.
- Key material distribution is protected either by operating the H.245 channel as a private channel or by specifically protecting the key material using the selected exchanged certificates.
- The security protocols presented conform either to ISO published standards or to IETF proposed standards.
The following is a sample flow chart in the H.235 recommendations of encryption for the media security.
H.235: Security and encryption for H.323 (and other H.245-based) multimedia terminals
H.235: Security and encryption for H.323 (and other H.245-based) multimedia terminals
Related protocols: RTSP, RTP, RTCP, Q.931, H.323, H.245
Sponsor Source: H.235 is an ITU-T (http://www.itu.int/ITU-T/) standard.
Reference:
http://www.javvin.com/protocol/H235v3.pdf: Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals
http://www.h323forum.org/papers/: H.323 papers and documents