Corrections for H.225.0 V.2
Euchner Martin ZT IK 3
Martin.Euchner at MCHP.SIEMENS.DE
Wed Sep 24 17:48:00 EDT 1997
Dear Glen,
I just checked H.225.0 V.2 as H.235 no longer contains security ASN.1.
Thanks for including the ICV fields from APC-1271 in all the RAS
messages.
Unfortunately, you forgot to include the following ASN.1 signaling
elements shown below which are necessary to signal the integrity
mechanism to be used during the GRQ and GCF to the recipient.
Sections 7.8.1 and 7.8.2 about GRQ and GCF should include the following
description:
integrity - indicates to the recipient which integrity mechanism is to be
applied on the RAS messages.
All the following stuff goes into section 15 - Annex H:
EncryptIntAlg ::= CHOICE
{ -- core encryption algorithms for H.225.0 message integrity
nonStandard NonStandardParameter,
isoAlgorithm OBJECT IDENTIFIER , -- defined in ISO/IEC 9979
}
NonIsoIntegrityMechanisms ::= CHOICE
{ -- HMAC mechanism used, no truncation, tagging may be necessary!
hMAC-MD5 NULL OPTIONAL, -- MD5 as hash function
hMAC-iso10118-2-s EncryptIntAlg OPTIONAL, -- according to ISO/IEC 10118-2
using
-- EncryptIntAlg as core block encryption algorithm (short 64-bit MAC)
hMAC-iso10118-2-l EncryptIntAlg OPTIONAL, -- according to ISO/IEC
10118-2 using
-- EncryptIntAlg as core block encryption algorithm (long 128-bit MAC)
hMAC-iso10118-3 OBJECT IDENTIFIER OPTIONAL, -- according to ISO/IEC
10118-3
-- using OID as hash function (OID is SHA-1, RIPE-MD160, RIPE-MD128)
}
IntegrityMechanism ::= CHOICE
{ -- for H.225.0 RAS message integrity
nonStandard NonStandardParameter,
digSig NULL OPTIONAL, -- indicates to apply a digital signature
iso9797 OBJECT IDENTIFIER OPTIONAL, -- according to ISO/IEC 9797 using
OID as
-- core encryption algorithm (X-CBC MAC)
nonIsoIM NonIsoIntegrityMechanism
}
Thus GRQ and GCR should read as follows (integrity entry added):
GatekeeperRequest ::= SEQUENCE --(GRQ)
{
requestSeqNum RequestSeqNum,
protocolIdentifier ProtocolIdentifier,
nonStandardData NonStandardParameter OPTIONAL,
rasAddress TransportAddress,
endpointType EndpointType,
gatekeeperIdentifier GatekeeperIdentifier OPTIONAL,
callServices QseriesOptions OPTIONAL,
endpointAlias SEQUENCE OF AliasAddress OPTIONAL,
...,
alternateEndpoints SEQUENCE OF Endpoint OPTIONAL,
tokens SEQUENCE OF ClearToken OPTIONAL,
cryptoTokens SEQUENCE OF CryptoH323Token OPTIONAL,
integrity SEQUENCE OF IntegrityMechanism OPTIONAL,
authenticationCapability SEQUENCE OF AuthenticationMechanism OPTIONAL,
algorithmOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
integrityCheckValue ICV OPTIONAL
}
GatekeeperConfirm ::= SEQUENCE --(GCF)
{
requestSeqNum RequestSeqNum,
protocolIdentifier ProtocolIdentifier,
nonStandardData NonStandardParameter OPTIONAL,
gatekeeperIdentifier GatekeeperIdentifier OPTIONAL,
rasAddress TransportAddress,
...,
alternateGatekeeper SEQUENCE OF AlternateGK OPTIONAL,
authenticationMode AuthenticationMechanism OPTIONAL,
tokens SEQUENCE OF ClearToken OPTIONAL,
integrity SEQUENCE OF IntegrityMechanism OPTIONAL,
cryptoTokens SEQUENCE OF CryptoH323Token OPTIONAL,
algorithmOID OBJECT IDENTIFIER OPTIONAL,
integrityCheckValue ICV OPTIONAL
}
I'm sorry for the late discovery. Please include the above changes to the
document text.
Martin.
-----------------------------------------------------------------------
| Dipl.-Inf. Phone: +49 89 636-46201
| Martin Euchner Fax : +49 89 636-48000
| Siemens AG
| ZT IK 3 e-mail: Martin.Euchner at mchp.siemens.de
|
| Otto-Hahn-Ring 6
| 81730 Muenchen
| __________________
| Germany
-----------------------------------------------------------------------
More information about the sg16-avd
mailing list