Roni and Martin,
To conclude our discussion, here is the note that I would propose to add at the end of Section 4.2.1/H.234 (*Key* exchange method):
"Note: it is recommended to use any suitable 512 bit prime value for the DES algorithm, a 1024 bit prime for Triple DES and AES algorithms (when high security is of concern), and a 1536 bit prime for Triple DES and AES algorithms (when very high security is of concern). For 1024 and 1536 bit primes, it is further recommended to use the verified values shown in Appendix E of RFC 2412."
If that is agreeable by everyone, I will add a paragraph proposing the addition of this note to our contribution on H.234.
Best regards,
Patrick
At 10:21 9/19/2002 +0200, Euchner Martin ICN M SR 3 wrote:
Ok; sounds fine with me.
With kind regards
Martin Euchner.
-----Original Message----- From: Even, Roni [mailto:roni.even@polycom.co.il] Sent: Wednesday, September 18, 2002 9:59 AM To: Euchner Martin ICN M SR 3; Even, Roni; ITU-SG16@echo.jf.INTEL.COM Subject: RE: [Security] Enhancements to H.233 and H.234
Martin, I think that H.234 did not give values was because when written it only defined 512bit DH since it was for DES. Patrick suggests adding AES and after discussing with him we will add the reference to RFC 1412 as in H.235 Roni
-----Original Message----- From: Euchner Martin ICN M SR 3 [mailto:Martin.Euchner@icn.siemens.de] Sent: Tuesday, September 17, 2002 1:49 PM To: 'Even, Roni'; ITU-SG16@echo.jf.INTEL.COM; Euchner Martin ICN M SR 3 Subject: RE: [Security] Enhancements to H.233 and H.234
Roni,
regarding recommended DH parameters, H.234 apparently follows a different philosophy than H.235:
H.234 does not recommend any particular DH set. Any DH-set should work as long as the parameters are chosen with care. On the other hand, H.235 recommends certain sets of DH parameters (taken from RFC2412). H.235 also allows to use arbitrary (i.e. non standardized) DH-parameters if there is a need for.
Now I do not know why H.234 did not recommend any particular set. I can only speculate: perhaps it was decided to leave that issue to the implementation. Or such agreed parameters were simply not available in those former days. Anyway, this makes the ITU recommendation pretty vague and introduces potential interoperability problems.
H.235 defines the recommended DH-values in order to yield a consistent security level among key management and media security taking into account the media encryption algorithms and also exportability issues. It was further recognized that using the well-defined DH parameter aids in interoperability and simplifies implementations.
One good question that we are touching is: Should we leave H.234 in the same spirit as the document is/was? Or should we improve and add more recommendations such as suggested DH-parameters and some more text?
I can see arguments for either way...
With kind regards
Martin Euchner.
-----Original Message----- From: Even, Roni [mailto:roni.even@POLYCOM.CO.IL] Sent: Tuesday, September 17, 2002 8:11 AM To: ITU-SG16@echo.jf.INTEL.COM Subject: Re: [Security] Enhancements to H.233 and H.234
Patrick, I still do not understand number 1 since this tag is in the context of h.233 and should be specified like that. As for the prime number look at the RFC 2412. H.235 refer to it since it includes verified prime numbers for 1024 and 1536 and I suggest we have the same recommendation as H.235. Maybe you should consult with Martin Euchner Regards Roni
-----Original Message----- From: Patrick Luthi [mailto:patrick.luthi@tandberg.no] Sent: Tuesday, September 17, 2002 12:59 AM To: Even, Roni; ITU-SG16@echo.jf.INTEL.COM Subject: RE: [Security] Enhancements to H.233 and H.234
Roni,
See my answers in-line!
Regards,
Patrick
At 16:03 9/12/2002 +0300, Even, Roni wrote:
Patrick, I looked at the contributions and have some comments.
- In H.233 why the new tag class, why don't you use 11 as
the rest of H.233
messages.
We used 00 because it defines the universal tag class (11 being context specific), and we thought that SE_NULL, as data type null message, would best belong to that class. This makes it consistent with ASN.1.
- By adding the new encryption algorithm you need a longer
DH prime. In
H.235 they have a table in annex D which is based on
RFC2412. Do you think
we should have the option to recommend the same numbers as
H.235 does.
H.233 nor H.234 are specifying any Diffie Hellman prime
values and my
understanding is that it is left to the implementor to choose the best value. I see your point, and in the interest of interoperability, a specified value would help. I will think about how to best integrate some text specifying prime values in H.234. One idea was to add a note in the section about Diffie Hellman (clause 4/H.234) saying something (inspired by D.7.1/H.235)
like this:
It is recommended to use a prime value of 512 bits for the DES algorithm (when exportable security is of concern), 1024 bits for Triple DES and AES algorithms (when high security is of concern), and 1536 bits for Triple DES and AES algorithms (when very high security is of concern). Would that address your concerns? Any feedback or comments are welcomed!
Regards Roni Even
-----Original Message-----
[snip...]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help on this mail list, send "HELP ITU-SG16" in a message to listserv@lists.intel.com