[h323plus] 回复： 回复： 回复： Does H323plus support H.235

[Paul E. Jones]

Bian,

A shared secret can certainly work, but the disadvantage to using a shared secret is simply the fact that every device will have to know the shared secret of any other device it might call.  This can be a provisioning nightmare.  If all devices have the same shared secret, then it only requires compromising one device and then all conversations can be recorded without being a party to a call. (One would only need to capture the call SETUP messages and then recording the audio would be easy.)

Public key cryptography would serve better to prevent that, whether it's through using TLS to establish the call or exchanging certificates as part of the call.

Paul

> -----Original Message-----
> From: h323plus-bounces at lists.packetizer.com [mailto:h323plus-
> bounces at lists.packetizer.com] On Behalf Of Bian
> Sent: Sunday, December 02, 2007 8:05 PM
> To: Simon Horne; H323plus
> Subject: [h323plus] 回复： 回复： 回复： Does H323plus support H.235
> 
> See 8.6/H.235.6
> 
> The sharedSecret field within the H235Key structure uses the following
> fields:
> • algorithmOID: set to "X", "X1" for the 56-bit RC2-compatible, set to
> "Y", "Y1" for 56-bit
> DES or set to "Z", "Z1" for 168-bit Triple-DES or set to "Z3" for 128-
> bit AES.
> NOTE 1 – The session key encryption algorithm is the same as the
> negotiated media encryption
> algorithm.
> 
> The shared secret is not used directly to encrypt the key exchange
> material to generate
> the cipher for media encryption, but used to enctypt the session key.
> Session key is then used to encrypt media.
> 
> So, I think we can connect PVX or codian using AES through a standard
> way. However, Need some work to test this thought.
> 
> 
> Bian
> 
> 
> 
> ----- 原始邮件 ----
> 发件人： Simon Horne <s.horne at packetizer.com>
> 收件人： Bian <bianxg at yahoo.cn>; H323plus
> <h323plus at lists.packetizer.com>
> 已发送： 2007/12/1(周六), 下午8:16:20
> 主题： RE: [h323plus] 回复： 回复： Does H323plus support H.235
> 
> 
> 
> The shared secret is used to encrypt the key exchange material to
> generate
> the cipher for media encryption.
> 
> If the shared secret was public knowledge then anyone can intercept the
> key
> exchange and generate a key to decrypt the media. So unless Polycom or
> Codian wish to share that proprietry secret there is no way to connect
> via
> AES.
> 
> Simon
> 
> > -----Original Message-----
> > From: h323plus-bounces at lists.packetizer.com
> > [mailto:h323plus-bounces at lists.packetizer.com]On Behalf Of Bian
> > Sent: Saturday, December 01, 2007 11:19 AM
> > To: H323plus
> > Subject: [h323plus] 回复： 回复： Does H323plus support H.235
> >
> >
> > Simon
> >
> > I think PVX's key exchange mechanism is in a standard way. PVX
> > and Codian MCU can connect using AES.
> >
> > But I don't know how the shared secret is used to produce the session
> key.
> >
> >
> > Bian
> >
> > > -----Original Message-----
> > >Bian
> >
> > >No PacPhone AES uses a different key exchange mechanism to PVX.
> > Polycom uses
> > >a proprietry method. They should still connect unencrypted.
> >
> > >Simon
> >
> > > -----Original Message-----
> > > From: Bian [mailto:bianxg at yahoo.cn]
> > > Sent: Wednesday, November 28, 2007 12:35 PM
> > > To: Simon Horne
> > > Subject: 回复： [h323plus] Does H323plus support H.235
> > >
> > >
> > > Simon
> > >
> > > I test PccPhone with PVX, but the AES is not opened. Does
> > > PacPhone can interoperate with PVX using AES?
> > >
> > >
> > > Bian
> > >
> >
> >
> >      ___________________________________________________________
> > 进入雅虎游戏嘉年华，赢取液晶显示器！
> > http://cn.mail.yahoo.com/promo/carnival07/
> 
> 
>       ___________________________________________________________
> 进入雅虎游戏嘉年华，赢取液晶显示器！
> http://cn.mail.yahoo.com/promo/carnival07/
>