ETSI TS 101 888-2003 Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 4 Test Scenarios Security testing - H 323 environment《网络上电信和互联网协议的协调(TIPH_1.pdf

资源描述

1、 ETSI TS 101 888 V4.2.1 (2003-12)Technical Specification Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 4;Test Scenarios;Security testing - H.323 environmentETSI ETSI TS 101 888 V4.2.1 (2003-12) 2 Reference RTS/TIPHON-06014R42 Keywords H.323, IP, protocol, tele

2、phony, testing, security, VoIP ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copie

3、s of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (P

4、DF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status

5、 of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing r

6、estriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI

7、for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 3 Contents Intellectual Property Rights4 Foreword.4 1 Scope 5 2 References 5 3 Definitions and abbreviations.6 3.1 D

8、efinitions6 3.2 Abbreviations .6 4 Security test strategy 6 5 H.235 Annex D 7 5.1 Overview 7 5.2 Received message.10 5.3 Separate steps .11 5.4 RRQ message with H.235 V2 13 5.5 Following RFC with sendersID14 5.6 Test configurations.15 5.6.1 Gatekeeper and terminal .15 5.6.2 Gatekeeper and gateway .1

9、5 5.6.3 Gatekeeper and Gatekeeper 15 6 H.235, annex F .15 6.1 Overview 15 6.2 RRQ with DH Set received by the Gatekeeper with signed token .17 6.3 RCF with DH Set of GK received by the client with signed token 20 6.4 ARQ now with baseline security received by the Gatekeeper with CryptoHashedToken22

10、6.5 ACF received by the Client with cryptohashed token 24 6.6 Private key of Gatekeeper 26 6.7 Certificate of Gatekeeper27 6.8 Private key of endpoint.27 6.9 Certificate of endpoint28 6.10 Test Configurations 28 6.10.1 Gatekeeper and Terminal28 6.10.2 Gatekeeper and Gateway 28 6.10.3 Gatekeeper and

11、Gatekeeper 29 7 Global Service Providers29 History 30 ETSI ETSI TS 101 888 V4.2.1 (2003-12) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available

12、 for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (h

13、ttp:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or

14、may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Project Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON). ETSI ETSI TS 101 888 V4.2.1 (2003-12) 5 1 Scope The scope of the present document is to define th

15、e security test specifications for TIPHON Release 4 for the H.323 5 environment. The security methods considered in the present document are related only to IP based networks. The signalling path and the media path in the SCN is considered to be secure (“Trust by wire“). This security test specifica

16、tion does not explain recommendation H.235 2 and the annexes, nor does it explain how to implement the security procedures. For further information on H.235, please refer to 2 or 4. Rather, the present document provides a step-wise implementation approach showing example security message processing

17、along with the generated output. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. F

18、or a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 ITU-T Recommendation H.225.0: “Call si

19、gnalling protocols and media stream packetization for packet based multimedia communication systems“. 2 ITU-T Recommendation H.235: “Security and Encryption for H.series (H.323 and other H.245 based) multimedia terminals “. 3 ITU-T Recommendation H.235 Annex F: “Hybrid Security Profile“. 4 ITU-T Rec

20、ommendation H.245: “Control protocol for multimedia communication“. 5 ITU-T Recommendation H.323: “Packet based multimedia communications systems“. 6 ETSI TS 101 883: “Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 4; Interface Protocol Requirements Definition;

21、 Implementation of TIPHON architecture using H.323“. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 6 3 Definitions and abbreviations 3.1 Definitions For the purpose of the present document, the definitions given in the IUT-T Recommendations H.225.0 1, H.235 2, H.245 4 and H.323 5. 3.2 Abbreviations For the

22、purposes of the present document, the following abbreviations apply: A Audio ARQ Admissions ReQuest ACF Admissions ConFirmARJ Admissions Reject A/V Audio/Video D Data DRQ Disengage Request DCF Disengage Confirm IP Internet ProtocolLRQ Location Request LCF Location Confirm QoS Quality of Service SCN

23、Switched Circuit Networks 4 Security test strategy Security testing should be performed after a vendor has completed product and system testing with the ETSI testing standards. The basic idea for security testing is to show the generation and insertion of the security bits into the specific paramete

24、rs of the H.323 5 messages. Because this mechanism is exactly the same on the senders and the receivers side, no distinction is necessary. To test entities for their implementation of security two entities (that are already interworking) need to be connected. In the case of an incorrect security inf

25、ormation it is necessary to go into the detail of the generation of the security bits. In order to be able to determine the reason for this failure the security tests strategy is just to look at the different steps of the generation and insertion of the security bits into the protocol elements. This

26、 is the only way to determine the failure. The Security testing shall be performed for the following configurations: Signalling path: - Gatekeeper and Terminal; - Gatekeeper and Gateway; - Gatekeeper and Gatekeeper. Media path: - Terminal and Terminal; - Terminal and Gateway; - Gateway and Gateway.

27、ETSI ETSI TS 101 888 V4.2.1 (2003-12) 7 Global Service Providers: - BES and TRC; - BES and CH; - BES and CA. The security testing shall be performed in three different parts where the first part deals with the security testing for the signalling path (Terminal, Gatekeeper, Gateway) using annex D of

28、H.235 2. The second part deals with the security aspects for the signalling path equivalent to the first but using annex F of H.235 2 and the media path using H.235. The third part handles the security testing from the BES to the global service providers. 5 H.235 Annex D 5.1 Overview Figure 1 shows

29、the basic steps to be taken at the originating entity and illustrates the procedures specified by Annex D of H.235 2, in particular clauses D.6.3.2 and D.6.3.3. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 8 H.225.0 message CryptoH323Token nestedCryptoToken CryptoHashedToken token Timestamp random algOID g

30、eneral ID OIDs cryptoHashedToken hash value params sendersID DH Default pattern HASHED ASN.1 Encode message H.225.0 message CryptoH323Token 000.0000 Compute hash HMAC SHA1 password Compute SHA1 hash H.225.0 message CryptoH323Token 1 2 3 4 5 6 7 8 9 Figure 1: Stepwise approach for sender Figure 2 sho

31、ws the basic steps to be taken at the receiving side starting with the entire message, decoding, breaking it into pieces and extracting the necessary parts and the final computation/verification step. NOTE 1: The figures just visualize the essential steps as an example and correlate with the print o

32、ut in clause 5.3; in any case, the procedures and description of annex D of H.235 2 take precedence. NOTE 2: The print out in clause 5.4 reflect H.235 V2 with the sendersID used. NOTE 3: The figures and print out reflect a scenario endpoint to gatekeeper; other scenarios and examples are not shown.

33、ETSI ETSI TS 101 888 V4.2.1 (2003-12) 9 NOTE 4: The default pattern is a local value that is being used temporarily when computing the hash value, see clause D.6.3.3.2 of H.235 2. H.225.0 message CryptoH323Token nestedCryptoToken CryptoHashedToken token Timestamp random algOID general ID OIDs crypto

34、HashedToken hash value params sendersID DH RV HASHED Compute hash HMAC SHA1 password Compute SHA1 hash 1 3 10 11b 12 ASN.1 Decode message H.225.0 message CryptoH323Token 2 4 5 6 7 8 11 H.225.0 message CryptoH323Token 000.000 11a 9 Compare/Verify hash values RV 12 Figure 2: Stepwise approach for rece

35、iver ETSI ETSI TS 101 888 V4.2.1 (2003-12) 105.2 Received message The examples shown in clauses 5.2 and 5.3 use the RRQ sent by a Terminal and received at the Gatekeeper. The print out in clauses 5.2 and 5.3 reflects H.235V1, i.e. sendersID is not used. The received RRQ message is given in binary an

36、d with all fields shown. The received binary message part is given and the separate steps shown for the verification. Password = fries SHA1 = 91 27 1C 95 F0 A3 A0 6F 0D 79 75 B1 19 5F A1 28 8A 86 B6 D4 A received RRQ message with embedded Cryptotoken: * * RECEIVE RRQ FROM EP AT GK * * 14:34:12 TPKTC

37、HAN: Address: 14:34:12 TPKTCHAN: 0 TransportAddress = (0) . CHOICE . 14:34:12 TPKTCHAN: 1 . ipAddress = (0) . SEQUENCE 14:34:12 TPKTCHAN: 2 . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:12 TPKTCHAN: 2 . . port = (1720) . INTEGER (065535) 14:34:21 UDPCHAN: New message (channel 0) recv Transpo

38、rtAddress = (0) . CHOICE . 14:34:21 UDPCHAN: 1 . ipAddress = (0) . SEQUENCE 14:34:21 UDPCHAN: 2 . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:21 UDPCHAN: 2 . . port = (1151) . INTEGER (065535) 14:34:21 UDPCHAN: Binary: 14:34:21 UDPCHAN: 00000 0f 80 3a 27 06 00 08 91 4a 00 02 00 08 2b 0c 02 |

40、 12 00 00 00 00 00 00 00 |.8h.| 14:34:21 UDPCHAN: 00080 00 6c c0 00 50 fb 38 00 12 fa 94 00 12 fa 9c 00 |.l.P8“.| 14:34:21 UDPCHAN: 00096 12 01 ec 00 00 02 36 00 00 00 0e 00 00 02 36 00 |.6.6.| 14:34:21 UDPCHAN: 00112 00 60 76 3d 18 20 ec f3 2e 00 00 00 00 9d b5 72 |.v=. .r| 14:34:21 UDPCHAN: 00128

43、 70 6c 69 63 61 74 69 6f 6e 08 52 41 44 56 |application.RADV| 14:34:21 UDPCHAN: 00256 69 73 69 6f 6e 12 2b 80 56 01 74 07 00 08 81 6b |ision.+V.t.k| 14:34:21 UDPCHAN: 00272 00 01 01 45 00 07 00 08 81 6b 00 01 05 c0 3a 22 |.Ek.:“| 14:34:21 UDPCHAN: 00288 62 db 01 29 22 00 53 00 69 00 65 00 6d 00 65 0

45、 00 01 00 01 00 01 00 |.| 14:34:21 UDPCHAN: Message: 14:34:21 UDPCHAN: 0 RasMessage = (6502) . CHOICE . 14:34:21 UDPCHAN: 1 . registrationRequest = (4294967185) . SEQUENCE . 14:34:21 UDPCHAN: 2 . . requestSeqNum = (14888) . INTEGER (165535) 14:34:21 UDPCHAN: 2 . . protocolIdentifier = (6) itu-t reco

46、mmendation h 2250 0 2 . OBJECT IDENTIFIER 14:34:21 UDPCHAN: 2 . . nonStandardData = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 3 . . . nonStandardIdentifier = (10964) . CHOICE . 14:34:21 UDPCHAN: 4 . . . . object = (8) iso identified-organization 12 2 1107 2 6 1 . OBJECT IDENTIFIER 14:34:21 UDPCHAN:

47、3 . . . data = (132) .!r.o .R.8.h.Po .R.8.hlP.8.6.6v=. .rZ.P 1 321 =0x014000080000000000002172005b6f2000. OCTET STRING 14:34:21 UDPCHAN: 2 . . discoveryComplete = (0) . BOOLEAN 14:34:21 UDPCHAN: 2 . . callSignalAddress = (1) . SEQUENCE OF 14:34:21 UDPCHAN: 3 . . . * = (6669) . CHOICE . 14:34:21 UDPC

48、HAN: 4 . . . . ipAddress = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 5 . . . . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:21 UDPCHAN: 5 . . . . . port = (1152) . INTEGER (065535) 14:34:21 UDPCHAN: 2 . . rasAddress = (1) . SEQUENCE OF 14:34:21 UDPCHAN: 3 . . . * = (6669) . CHOICE . 14:34:21 UDPCHAN: 4 . . . . ipAddress = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 5 . . . . . ip = (4) .j =0x8b17ca6a . OCTET ETSI ETSI TS 101 888 V4.2.1 (2003-12) 11STRING (44) 14:34:21 UDPCHAN: 5 . . . . . port = (1151) . INTEGER (065535) 14:34:21 UDPCHAN: 2 . . terminalType = (4294967

展开阅读全文