ImageVerifierCode 换一换
格式:PDF , 页数:36 ,大小:579.49KB ,
资源ID:797444      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-797444.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T H 235 3-2005 H 323 security Hybrid security profile (Study Group 16)《H 323 安全框架 混合安全模式》.pdf)为本站会员(吴艺期)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T H 235 3-2005 H 323 security Hybrid security profile (Study Group 16)《H 323 安全框架 混合安全模式》.pdf

1、 International Telecommunication Union ITU-T H.235.3TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (09/2005) SERIES H: AUDIOVISUAL AND MULTIMEDIA SYSTEMSInfrastructure of audiovisual services Systems aspects H.323 security: Hybrid security profile ITU-T Recommendation H.235.3 ITU-T H-SERIES RECOMME

2、NDATIONS AUDIOVISUAL AND MULTIMEDIA SYSTEMS CHARACTERISTICS OF VISUAL TELEPHONE SYSTEMS H.100H.199 INFRASTRUCTURE OF AUDIOVISUAL SERVICES General H.200H.219 Transmission multiplexing and synchronization H.220H.229 Systems aspects H.230H.239 Communication procedures H.240H.259 Coding of moving video

3、H.260H.279 Related systems aspects H.280H.299 Systems and terminal equipment for audiovisual services H.300H.349 Directory services architecture for audiovisual and multimedia services H.350H.359 Quality of service architecture for audiovisual and multimedia services H.360H.369 Supplementary service

4、s for multimedia H.450H.499 MOBILITY AND COLLABORATION PROCEDURES Overview of Mobility and Collaboration, definitions, protocols and procedures H.500H.509 Mobility for H-Series multimedia systems and services H.510H.519 Mobile multimedia collaboration applications and services H.520H.529 Security fo

5、r mobile multimedia systems and services H.530H.539 Security for mobile multimedia collaboration applications and services H.540H.549 Mobility interworking procedures H.550H.559Mobile multimedia collaboration inter-working procedures H.560H.569 BROADBAND AND TRIPLE-PLAY MULTIMEDIA SERVICES Broadband

6、 multimedia services over VDSL H.610H.619 For further details, please refer to the list of ITU-T Recommendations. ITU-T Rec. H.235.3 (09/2005) i ITU-T Recommendation H.235.3 H.323 security: Hybrid security profile Summary The purpose of this Recommendation is to describe an efficient and scalable, P

7、KI-based hybrid security profile for version 2 or higher of ITU-T Rec. H.235.0. The hybrid security profile contained herein takes advantage of the security profiles in ITU-T Recs H.235.1 and H.235.2 by deploying digital signatures from ITU-T Rec. H.235.2 and deploying the baseline security profile

8、from ITU-T Rec. H.235.1. In earlier versions of the H.235 sub-series, this profile was contained in Annex F/H.235. Appendices IV, V, VI to H.235.0 show the complete clause, figure, and table mapping between H.235 versions 3 and 4. Source ITU-T Recommendation H.235.3 was approved on 13 September 2005

9、 by ITU-T Study Group 16 (2005-2008) under the ITU-T Recommendation A.8 procedure. Keywords Authentication, certificate, digital signature, encryption, integrity, key management, multimedia security, security profile. ii ITU-T Rec. H.235.3 (09/2005) FOREWORD The International Telecommunication Union

10、 (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to sta

11、ndardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is

12、covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to i

13、ndicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achie

14、ved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL

15、PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether as

16、serted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned th

17、at this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2006 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. ITU-T Rec. H.235.3 (09/2005) iii CO

18、NTENTS Page 1 Scope 1 2 References. 1 2.1 Normative references 1 2.2 Informative references 2 3 Terms and definitions . 2 4 Symbols and abbreviations. 2 5 Conventions 3 6 Overview 4 6.1 H.323 requirements 6 6.2 Authentication and integrity. 7 7 Procedure IV. 7 8 Security association for concurrent c

19、alls 9 9 Key update 10 10 Usage of elliptic curve techniques 11 11 Illustration examples. 11 12 Multicast behaviour 14 13 List of secure signalling messages 14 13.1 H.225.0 RAS 14 13.2 H.225.0 call signalling (single administrative domain) 14 13.3 H.225.0 call signalling (multi-administrative domain

20、) 15 14 List of object identifiers 15 Appendix I H.235.3 enabled Gatekeeper Security Processor . 16 I.1 Discovery of a gatekeeper security processor 18 I.2 Gatekeeper security processor operation 19 I.3 Processor token. 20 I.4 GKSP illustration example. 23 I.5 List of object identifiers 28 ITU-T Rec

21、. H.235.3 (09/2005) 1 ITU-T Recommendation H.235.3 H.323 security: Hybrid security profile 1 Scope The purpose of this Recommendation is to describe an efficient and scalable, PKI-based hybrid security profile for version 2 and higher of ITU-T Rec. H.235.0. The hybrid security profile contained here

22、in takes advantage of the security profiles in ITU-T Recs H.235.1 and H.235.2 by deploying digital signatures from ITU-T Rec. H.235.2 and deploying the baseline security profile from ITU-T Rec. H.235.1. 2 References 2.1 Normative references The following ITU-T Recommendations and other references co

23、ntain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate

24、the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of

25、a Recommendation. ITU-T Recommendation H.225.0 (2003), Call signalling protocols and media stream packetization for packet-based multimedia communication systems. ITU-T Recommendation H.235, version 1 (1998), Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals. IT

26、U-T Recommendation H.235, version 2 (2000), Security and encryption for H-series (H.323 and other H.245-Based) multimedia terminals. ITU-T Recommendation H.235.0 (2005), H.323 security: Framework for security in H-series (H.323 and other H.245-based) multimedia systems. ITU-T Recommendation H.235.1

27、(2005), H.323 security: Baseline security profile. ITU-T Recommendation H.235.2 (2005), H.323 security: Signature security profile. ITU-T Recommendation H.235.6 (2005), H.323 security: Voice encryption profile with native H.235/H.245 key management. ITU-T Recommendation H.245 (2005), Control protoco

28、l for multimedia communication. ITU-T Recommendation H.323 (2003), Packet-based multimedia communications systems. ITU-T Recommendation Q.931 (1998), ISDN user-network interface layer 3 specification for basic call control. ITU-T Recommendation X.509 (2005) | ISO/IEC 9594-8:2005, Information technol

29、ogy Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Refere

30、nce Model Part 2: Security Architecture. 2 ITU-T Rec. H.235.3 (09/2005) ITU-T Recommendation X.803 (1994) | ISO/IEC 10745:1995, Information technology Open Systems Interconnection Upper layers security model. ITU-T Recommendation X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Syste

31、ms Interconnection Security frameworks for open systems: Overview. ITU-T Recommendation X.811 (1995) | ISO/IEC 10181-2:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Authentication framework. IETF RFC 3280 (2002), Internet X.509 Public Key Infrastruct

32、ure Certificate and Certificate Revocation List (CRL) Profile. 2.2 Informative references ISO|IEC 14888-3 ISO/IEC 14888-3:1998, Information technology Security techniques Digital signatures with appendix; Part 3: Certificate-based mechanisms. PKCS PKCS #1 v2.0: RSA Cryptography Standard; RSA Laborat

33、ories; October 1, 1998; http:/ PKCS PKCS #7: Cryptographic Message Syntax Standard, An RSA Laboratories Technical Note, version 1.5, Revised November 1, 1993; http:/ RFC1321 IETF RFC 1321 (1992), The MD5 Message-Digest Algorithm. 3 Terms and definitions For the purposes of this Recommendation, the d

34、efinitions given in clauses 3/H.323, 3/H.225.0 and 3/H.245 apply. Some of the terms used in this Recommendation are also as defined in ITU-T Recs X.800 | ISO 7498-2, X.803 | ISO/IEC 10745, X.810 | ISO/IEC 10181-1, X.811 | ISO/IEC 10181-2 and H.235.0. 4 Symbols and abbreviations This Recommendation u

35、ses the following abbreviations: ALG Application Level Gateway ASN.1 Abstract Syntax Notation One BRJ Bandwidth Reject BRQ Bandwidth Request CA Certification Authority CRL Certificate Revocation List DB Database DH Diffie-Hellman DN Distinguished Name EP Endpoint GCF Gatekeeper Confirm GK Gatekeeper

36、 GKID Gatekeeper Identifier GKSP Gatekeeper Security Processor ITU-T Rec. H.235.3 (09/2005) 3 GRJ Gatekeeper Reject GRQ Gatekeeper Request HMAC Hashed Message Authentication Code ICV Integrity Check Value ID Identifier IP Internet Protocol LDAP Lightweight Directory Access Protocol LRQ Location Requ

37、est MCU Multipoint Control Unit MD5 Message Digest 5 NAT Network Address Translation OID Object Identifier PDU Protocol Data Unit PKI Public Key Infrastructure RAS Registration, Admission and Status RCF Registration Confirm RRJ Registration Reject RRQ Registration Request RSA Rivest, Shamir and Adle

38、man encryption algorithm RTP Real-time Transport Protocol SHA Secure Hash Algorithm UDP User Datagram Protocol URQ Unregistration Request VoIP Voice-over-IP 5 Conventions In this Recommendation the following conventions are used: “shall“ indicates a mandatory requirement. “should“ indicates a sugges

39、ted but optional course of action. “may“ indicates an optional course of action rather than a recommendation that something take place. The hybrid security profile uses terms and definitions from ITU-T Recs H.235.1 and H.235.2. While the message integrity service always provides message authenticati

40、on, the reverse is not always true. For the authentication-only mode, the integrity assured only spans a certain subset of message fields. This applies to integrity services realized by asymmetric means (e.g., digital signatures). Thus, in practice, a combined authentication and integrity service us

41、es the same key material without introducing a security weakness. This security profile is applicable in environments with potentially many terminals, where static password/symmetric key assignment is not feasible, e.g., in large-scale or global-scale scenarios. 4 ITU-T Rec. H.235.3 (09/2005) Instea

42、d, this security profile assumes availability of a public-key infrastructure with assigned certificates and private/public-keys, directories, etc. In addition, this security profile deploys symmetric crypto techniques where applicable. This security profile introduces the terms “first“ message and “

43、last“ message sent. Security protection of the first message (and probably also for the last message) is different from security protection of the remaining other messages. The “first message“ sent is understood as a message that flows between two H.323 entities and establishes a security context. I

44、t makes symmetric key material available to both entities and, for example, marks the beginning of a call. For H.225.0 RAS, the first message is the RRQ and the related response message. For H.225.0 call signalling using fast start, the first message is SETUP and CONNECT. The “last message“ terminat

45、es the established security context. The established key material shall be destroyed. For H.225.0 RAS, the last message is the URQ and related response message, while for H.225.0 call signalling the last message is RELEASE-COMPLETE. 6 Overview This Recommendation describes an efficient and scalable,

46、 PKI-based hybrid security profile deploying digital signatures from H.235.2 and deploying the baseline security profile from H.235.1. This Recommendation is suggested as an option. H.323 security entities (terminals, gatekeepers, gateways, MCUs, etc.) may implement this hybrid security profile for

47、improved security or whenever required. The notion of “hybrid“ in this text shall mean that security procedures from the signature profile in ITU-T Rec. H.235.2 are actually applied in a lightweight sense and the digital signatures still conform to the RSA procedures. However, digital signatures are

48、 deployed only where absolutely necessary while highly efficient symmetric security techniques from the baseline security profile in ITU-T Rec. H.235.1 are used otherwise. The hybrid security profile is applicable for scaleable “global“ IP telephony. This security profile overcomes the limitations o

49、f the simple, baseline security profile of H.235.1 when strictly applying it. Furthermore, this security profile overcomes certain drawbacks of H.235.2, such as the need for higher bandwidth and increased performance needs for processing, when strictly applying it. For example, the hybrid security profile does not depend on the (static) administration of mutual shared secrets of the hops in different domains.

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1