An Overview of Communication Manager Transport and Storage Encryption Algorithms



Similar documents
Chapter 7 Transport-Level Security

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

TLS and SRTP for Skype Connect. Technical Datasheet

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security. Lecture 3

Network Security Essentials Chapter 5

DRAFT Standard Statement Encryption

OPENID AUTHENTICATION SECURITY

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Communication Systems SSL

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Security Policy Revision Date: 23 April 2009

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Secured Communications using Linphone & Flexisip

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Savitribai Phule Pune University

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Using BroadSAFE TM Technology 07/18/05

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

UVOIP: CROSS-LAYER OPTIMIZATION OF BUFFER OPERATIONS FOR PROVIDING SECURE VOIP SERVICES ON CONSTRAINED EMBEDDED DEVICES

Acano solution. Security Considerations. August E

Network Security Part II: Standards

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Overview. SSL Cryptography Overview CHAPTER 1

The Misuse of RC4 in Microsoft Word and Excel

Transport Level Security

National Security Agency Perspective on Key Management

Network Management Card Security Implementation

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Deployment Scenarios

Chapter 17. Transport-Level Security

Secure Socket Layer. Carlo U. Nicola, SGI FHNW With extracts from publications of : William Stallings.

Configuring SIP Support for SRTP

Web Security Considerations

VOICE OVER IP SECURITY

EXAM questions for the course TTM Information Security May Part 1

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

Overview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 10. Network Security

FIPS SECURITY POLICY FOR

Introduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

For the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.

Security and the Mitel Networks Teleworker Solution (6010) Mitel Networks White Paper

ERserver. iseries. Securing applications with SSL

SENSE Security overview 2014

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

WS_FTP Professional 12. Security Guide

Secure Socket Layer (SSL) and Transport Layer Security (TLS)

Avaya IP Office SIP Configuration Guide

Virtual Private Networks

U.S. Federal Information Processing Standard (FIPS) and Secure File Transfer

Using etoken for SSL Web Authentication. SSL V3.0 Overview

FIPS Level 1 Security Policy for Cisco Secure ACS FIPS Module

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

SSL SSL VPN

BroadSAFE Enhanced IP Phone Networks

Outline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

The BANDIT Products in Virtual Private Networks

Avaya G700 Media Gateway Security - Issue 1.0

Lecture 10: Communications Security

Part III-b. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

ERserver. iseries. Secure Sockets Layer (SSL)

Application Note: Onsight Device VPN Configuration V1.1

Security. Learning Objectives. This module will help you...

Transport Layer Security Protocols

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

4. H.323 Components. VOIP, Version 1.6e T.O.P. BusinessInteractive GmbH Page 1 of 19

SecureDoc Disk Encryption Cryptographic Engine

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

ETSI TS V8.1.0 ( ) Technical Specification. Smart Cards; Secure channel between a UICC and an end-point terminal (Release 8)

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

Network Security Fundamentals

Security vulnerabilities in the Internet and possible solutions

SkyRecon Cryptographic Module (SCM)

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

VoIP Security regarding the Open Source Software Asterisk

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1

VA Enterprise Standard: VIDEO CODEC/RECORDING

Securing an IP SAN. Application Brief

Security Policy. Security Policy.

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

Encryption VIDEO COMMUNICATION SYSTEM-TECHNICAL DOCUMENTATION

Branch Office VPN Tunnels and Mobile VPN

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Transcription:

An Overview of Communication Manager Transport and Storage Encryption Algorithms Abstract The following paper provides a description of the standard algorithms that are implemented within Avaya Communication Manager software to secure transport of IP Telephony communications or store data related to the IP Telephony applications. The document discuses capabilities of Communication Manger software version 2.0 as well as enhancements considered for future releases. 1 of 1

Table of Contents 1. INTRODUCTION...2 2. CONTENT...3 3. LINK SECURITY...4 3.1. IPSI LINK SECURITY...4 3.2. H.248 LINK SECURITY...4 3.3. H.225.0 REGISTRATION, ADMISSION, AND STATUS (RAS)...4 3.4. H.225.0 CALL SIGNALING...5 3.5. RTP MEDIA ENCRYPTION...6 3.6. ADMINISTRATIVE ACCESS...7 3.7. OPERATIONAL DATA STORAGE OF ACCOUNT INFORMATION...7 3.8. BACKUP OF TRANSLATION TABLES...8 4. CONCLUSION...8 5. ADDITIONAL REFERENCES...9 1. Introduction The purpose of this document is to provide detailed descriptions of cryptographic algorithms that are used within the Avaya Communication Manager software. Furthermore, this document provides a description of the IP Telephony protocols that are protected through the use of cryptographic functions of encryption and authentication. It also addresses the mechanisms that Avaya has employed to protect keys used by these algorithms. 2 of 2

SSH HTTPS IPSI (AES-128) H.248 (AES-128) RTP (AES-128) H.225.0 (HMAC-SHA1-96/AES-128) Figure 1: Multi-Connect Communication Manager software implements cryptographic algorithms and methodologies that are generally accepted in the INFOSEC community. Furthermore, the selection of cryptographic functions is chosen based on their ability to be approved under a FIPS-140-2 or Common Criteria certification assessment. 2. Content The remainder of this document will describe cryptographic algorithms and key management for the following data links: Internet Protocol Server Interface (ISPI) Link H.248 Link H.225.0 Registration, Admission, and Status (RAS) H.225.0 Call Signaling RTP Administrative Access Operational Data Storage of Account Information Backup of Translation Tables Note that these descriptions apply to Avaya Communication manager version 2.1 or considered for later releases. 3 of 3

3. Link Security 3.1. IPSI Link Security The IPSI link is defined as the link between the Internet Protocol Server Interface (IPSI) network interface board of the central gateway (e.g., G650) and the media server (e.g., S8700). This link relays control and signaling information between those two entities. As part of signaling, this link is also a conduit between the logical gatekeeper (resident in the media server) and the H.323 endpoint (through the central gateway) as depicted in Figure 1. The IPSI link historically has been secured using 3DES, but is currently secured using the AES_128_CBC [AES] encryption algorithm, to prevent unauthorized access or modification. Inside the encrypted payload, the CRC_16 algorithm is used for error detection and to prevent unauthorized modification of the payload. Since the IPSI link is only between a specific interface card and the media server, the key that is used to secure that link only needs to be known by those two entities. As of the writing of this document, a key is pre-administered (which is stored in the IPSI flash memory and the Communication Manger software but is not accessible by administrators or users) to encrypt a dynamic 128-bit challenge for Diffie-Hellman (DH) [DH] encrypted key exchange [EKE]. Future releases may provide this pre-administered key to be assigned by the customer or dynamically negotiated. 3.2. H.248 Link Security The H.248 link is the data link for control data between the media gateway controller (e.g. media server) and H.248 Media Gateways (e.g., branch gateways such as the G700) via the Gateway Control Protocol. The AES encryption algorithm protects data within this link and also includes a simple manipulation detection mechanism (arithmetic sum) inside the encrypted payload. The transport protocol is similar to TLS. The 128-bit symmetric key, which protects the data, is negotiated between the H.248 gateway and the media server using a DH key exchange. Each time an H.248 link is established, a new 128-bit symmetric key is negotiated using the DH key exchange. Once the symmetric key is negotiated, it remains resident in the volatile memory of the media server and gateway, but is not accessible by users or administrators. Since the key is stored in volatile memory, it is destroyed whenever the H.248 link is re-created or whenever the media server or gateway is turned off. 3.3. H.225.0 Registration, Admission, and Status (RAS) Before an H.323 IP endpoint can make a call, it must first register with a gatekeeper. Endpoints register and establish a signaling connection with Communication Manager using the H.323 registration and signaling standard, which is H.225.0. [ITUH2250]. The first portion of this handshake is the registration (or RAS ) process between the endpoint with the gatekeeper. 4 of 4

With version 2.0 and earlier, authentication of the endpoints was achieved through a challengeresponse mechanism (part of the H.225.0 registration handshake) and incorporated the use of the DES-56 encryption algorithm and derived a key based on the PIN of the extension to authenticate the registration of an endpoint. However, a stronger registration and call signaling design is being considered. With this new design, AES encryption and HMAC_SHA-1 authentication algorithms are implemented to secure registration of the endpoint without exposing any of the authentication credentials of the endpoint (e.g., the PIN of the endpoint) to offline attacks. This is achieved while providing registration authentication and replay protection. Authentication keys are established through the use of an encrypted DH key exchange (1024 bits in length) [EKE] where a series of 128-bit symmetric encryption keys and 160-bit authentication keys are negotiated. Authentication of the endpoint is achieved through the use of HMAC_SHA1_96 [SHA1, HMAC]. This results in a 96-bit authentication element for the RAS messages (truncated from the 160-bits generated by SHA1). This authentication process is part of the H.225.0 security profile in H.235 Annex H [ITUH2350H]. As part of this new registration process, the endpoint and gatekeeper negotiate multiple keys of significant size (128-bits or greater) that are used for authentication of the ongoing registration messages as well as encryption and authentication of the signaling messages. In other words, the registration process is secure because it uses the HMAC plus SHA-1 authentication algorithms combined with an encrypted DH key exchange. Since the keys are negotiated each time the endpoint registers, these keys are only retained in RAM of the endpoint and gatekeeper and are not accessible by users or administrators. 3.4. H.225.0 Call Signaling Once the endpoint has successfully registered, a second H.225.0 link is established between the endpoint and the gatekeeper. This is the signaling link. It is used to transmit call-signaling messages between the gatekeeper and the endpoint. Examples include button presses, status indicators, and transmission of media encryption keys (when calls are established). Under version 2.0 and earlier, only certain data was encrypted on this link, such as the transmission of media encryption keys. In those cases, the DES-56 encryption algorithm was used with a key derived from the PIN of the extension. With the new registration and call signaling design, the signaling channel provides authentication of each packet using the same standard algorithm of HMAC_SHA1_96 as described above. 5 of 5

In addition, this new design provides data encryption. Packets with certain elements of data that would be considered sensitive will transmit those elements as ciphertext created using the AES encryption algorithm (AES-128-CTR, counter-mode). The key that is used for encrypting the data is 128-bits in length and is also derived from the master shared secrete key negotiated during the registration process. As described above, the keys used to authenticate signaling packets and encrypt sensitive elements are dynamically negotiated each time the endpoint registers with the gatekeeper. As such, these keys are only stored in the RAM of the end devices and are not accessible by users or administrators. New session keys are created whenever the endpoints are re-registered. Simply put, all messages sent on the signaling link are authenticated using HMAC_SHA_96 authentication algorithm. Those elements within the signaling link that need to be encrypted are secured using AES and a 128-bit key. 3.5. RTP Media Encryption Avaya is proud to offer media encryption of RTP streams. With the introduction of version 1.3.1, Communication Manager offered RTP encryption using the Avaya Encryption Algorithm [AEA]. AEA is an RC4-like encryption algorithm. It provides efficient, strong encryption of the media streams between endpoints or between endpoints and media processing boards. CM uses a 104-bit key for AEA. With the introduction of version 2.0, Communication Manager also supports media encryption using the Advanced Encryption Algorithm [AEA] in counter mode using 128-bit keys. The Secure Real Time Protocol [SRTP] is also being assessed for a future release. SRTP incorporates AES for encryption of RTP packets and HMAC_SHA1 for authentication of RTP packets and RTCP packets. The Internet Engineering Task Force (IETF) is currently considering adopting this for an RFC sometime in 2004. In all of these media encryption solutions, the media encryption keys are dynamically created on a per-connection basis. The keys are created within the gatekeeper and transmitted to the endpoints and media processing boards via the aforementioned secure links. Additionally, separate keys are produced for the transmit and receive streams of each call. In the case of conference calls, a unique pair of keys is assigned for encrypting the payload of each endpoint (one or transmit and one for receive). With the introduction of SRTP, derivation of additional keys is performed for authentication of the RTP and RTCP [SRTP] messages. Since all of these keys are dynamically created and assigned, they are only stored in RAM and are not accessible by administrators or users. RTP keys are not escrowed. 6 of 6

3.6. Administrative Access Administrators are able to access administrative functions of the Linux-based media servers via two security protocols: SSH [SSHWG] and HTTP over SSL (HTTPS) [HTTPS]. For each of these protocols, in general, cipher suites specify which encryption algorithm, key size, and mode will be used, along with the key negotiation method. For SSH connections, the AES cipher suite is specified (128-bit key) as the preferred algorithm. The SSH client software (provided by and located on the administrators PC), negotiates with the media server to determine which cipher suite will actually be used. As long as the SSH client supports AES and is listed as a preference, it will be used for encrypting the data. Details of the authentication are provided by standards defined by [SSHWG]. For the web interface, the media servers support HTTPS. Under HTTPS the HTTP data is encrypted authenticated within a SSL (or TLS) connection. Similar to SSH, the SSL cipher suite is negotiated with preferred and prioritized cipher suites provided by the client and server during the SSL handshake. The media servers list 3DES as a preferred encryption algorithm. However, newer versions of TLS will support AES. When this is implemented, AES will be listed as the preferred encryption algorithm. Authentication of the messages is provided as part of the TLS protocol [TLS] Regardless of transport method (SSH or HTTPS), the session keys are negotiated each time a link is established. These session keys are discarded at the end of the session and are not retained in flash memory. 3.7. Operational Data Storage of Account Information During normal operations, Communication Manager manages numerous extensions as well as administrative accounts. This information is considered sensitive because unauthorized access could provide an attacker the means to achieve access to or change the privileges of administrative accounts or extensions on the system. During operations, the administrative credentials (most importantly the administrative passwords) are stored as an MD5 hash inside of a Linux shadow password file. For more detail on this file, see [RHSG]. However, if the administrative account is ASG-protected, the account does not use passwords for authentication. Instead, during the login process, the administrator must provide a correct response to a dynamic ASG challenge. The correct response is the encryption challenge using a unique ASG key. The ASG key is stored in an ASGFILE or LACFILE (for support accounts) and both are encrypted using 3DES. The 3DES key is pre-administered inside Communication Manager software. The extension and PIN information is stored in Translation Tables of Communication Manager. Aside from imposing tight software controls on the access of the Translation Tables, the PIN 7 of 7

information is encrypted using 3DES in the Translation Table files and a pre-administered key stored in Communication Manger software. Future versions of Communication Manager will provide for greater support of standardized central authentication mechanisms such as RADIUS, LDAP, and Kerberos. 3.8. Backup of Translation Tables Communication Manager provides the ability to backup Translation Tables for offsite storage. When these tables are backed-up, the customer has the option of providing a pass phrase and encrypting those backup files. When this is done, the GnuPGP [GPGP] utility is used to encrypt the backup file using the CAST5 encryption algorithm (default setting for this utility which uses a 128-bit key based on the pass phrase). Future version will standardize on the AES encryption algorithm (128-bit). 4. Conclusion Within Communication Manager, communications are secured from end-to-end using standard encryption and authentication algorithms. Keys are dynamically generated and are stored in RAM where they are overwritten whenever the links disabled or re-created. Additionally, all links support the use of the AES algorithm for encryption using 128-bit keys. When authentication is used, the HMAC_SHA1_96 authentication algorithm is implemented. The bottom line is that customers can have confidence in Avaya s VoIP solutions because of the implementation of standard encryption and authentication algorithms, use of dynamic key negotiation, and incorporation of this capability as a fundamental part of the standard product offering of Avaya media servers, gateways, and endpoints. 8 of 8

5. Additional References This section is optional. If you have other references such as product documentation that you wish to point out to the user you may add pointers here. [AES] [DH] [EKE] [GNUPG] [HMAC] [HTTPS] [ITUH2250] [ITUH235H] [RHSG] [SHA1] [SRTP] [SSHWG] [TLS] Advanced Encryption Standard, FIPS-197, http://csrc.nist.gov/publications/fips/fips197/fips- 197.pdf W. Diffie and M.E. Hellman, New Directions in Cryptography, IEEE Transactions in Information Theory, v. IT-22, n. 6, Nov 1976, pp. 664-654 Bellovin and Merritt, U.S. Patent 5,241,599, August 31, 1993, assigned to Lucent Technologies AT&T Bell Laboratories. www.gnupg.org H. Krawczyk, M. Bellare, and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, IETF Informational RFC 2104, February 1997. E. Rescorla; HTTP over TLS ; RFC 2818, http://www.ietf.org/rfc/rfc2818.txt ITU-T Recommendation H.225.0, "Call signaling protocols and media stream packetization for packet-based multimedia communication systems" ITU-T H.235 Amendment 1, "Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals," Annex H The Official Red Hat Security Guide, http://www.redhat.com/docs/manuals/linux/rhl-8.0- Manual/pdf/rhl-sg-en-80.pdf FIPS PUB 180-1, Secure Hash Standard, U.S. Department of Commerce, Technology Division, National Institute of Standards and Technology, April 17, 1995. Baugher, Carrara, Naslund, Norrman; SRTP: The Secure Real Time Transport Protocol, IETF RFC Pending, http://www.ietf.org/internet-drafts/draft-ietf-avt-srtp-09.txt IETF Secure Shell Working Group (secsh), multiple IETF Internet Drafts, http://www.ietf.org/html.charters/secsh-charter.html T. Dierks, C. Allen; The TLS Protocol, IETF 2246, http://www.ietf.org/rfc/rfc2246.txt Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in this White Paper is subject to change without notice. The technical data provided in this White Paper are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in this White Paper. 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information