1、 ETSI TS 101 888 V4.2.1 (2003-12)Technical Specification Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 4;Test Scenarios;Security testing - H.323 environmentETSI ETSI TS 101 888 V4.2.1 (2003-12) 2 Reference RTS/TIPHON-06014R42 Keywords H.323, IP, protocol, tele
2、phony, testing, security, VoIP ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copie
3、s of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (P
4、DF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status
5、 of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, send your comment to: editoretsi.org Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing r
6、estriction extend to reproduction in all media. European Telecommunications Standards Institute 2003. All rights reserved. DECTTM, PLUGTESTSTM and UMTSTM are Trade Marks of ETSI registered for the benefit of its Members. TIPHONTMand the TIPHON logo are Trade Marks currently being registered by ETSI
7、for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 3 Contents Intellectual Property Rights4 Foreword.4 1 Scope 5 2 References 5 3 Definitions and abbreviations.6 3.1 D
8、efinitions6 3.2 Abbreviations .6 4 Security test strategy 6 5 H.235 Annex D 7 5.1 Overview 7 5.2 Received message.10 5.3 Separate steps .11 5.4 RRQ message with H.235 V2 13 5.5 Following RFC with sendersID14 5.6 Test configurations.15 5.6.1 Gatekeeper and terminal .15 5.6.2 Gatekeeper and gateway .1
9、5 5.6.3 Gatekeeper and Gatekeeper 15 6 H.235, annex F .15 6.1 Overview 15 6.2 RRQ with DH Set received by the Gatekeeper with signed token .17 6.3 RCF with DH Set of GK received by the client with signed token 20 6.4 ARQ now with baseline security received by the Gatekeeper with CryptoHashedToken22
10、6.5 ACF received by the Client with cryptohashed token 24 6.6 Private key of Gatekeeper 26 6.7 Certificate of Gatekeeper27 6.8 Private key of endpoint.27 6.9 Certificate of endpoint28 6.10 Test Configurations 28 6.10.1 Gatekeeper and Terminal28 6.10.2 Gatekeeper and Gateway 28 6.10.3 Gatekeeper and
11、Gatekeeper 29 7 Global Service Providers29 History 30 ETSI ETSI TS 101 888 V4.2.1 (2003-12) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available
12、 for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (h
13、ttp:/webapp.etsi.org/IPR/home.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or
14、may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Project Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON). ETSI ETSI TS 101 888 V4.2.1 (2003-12) 5 1 Scope The scope of the present document is to define th
15、e security test specifications for TIPHON Release 4 for the H.323 5 environment. The security methods considered in the present document are related only to IP based networks. The signalling path and the media path in the SCN is considered to be secure (“Trust by wire“). This security test specifica
16、tion does not explain recommendation H.235 2 and the annexes, nor does it explain how to implement the security procedures. For further information on H.235, please refer to 2 or 4. Rather, the present document provides a step-wise implementation approach showing example security message processing
17、along with the generated output. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. References are either specific (identified by date of publication and/or edition number or version number) or non-specific. F
18、or a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. 1 ITU-T Recommendation H.225.0: “Call si
19、gnalling protocols and media stream packetization for packet based multimedia communication systems“. 2 ITU-T Recommendation H.235: “Security and Encryption for H.series (H.323 and other H.245 based) multimedia terminals “. 3 ITU-T Recommendation H.235 Annex F: “Hybrid Security Profile“. 4 ITU-T Rec
20、ommendation H.245: “Control protocol for multimedia communication“. 5 ITU-T Recommendation H.323: “Packet based multimedia communications systems“. 6 ETSI TS 101 883: “Telecommunications and Internet Protocol Harmonization Over Networks (TIPHON) Release 4; Interface Protocol Requirements Definition;
21、 Implementation of TIPHON architecture using H.323“. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 6 3 Definitions and abbreviations 3.1 Definitions For the purpose of the present document, the definitions given in the IUT-T Recommendations H.225.0 1, H.235 2, H.245 4 and H.323 5. 3.2 Abbreviations For the
22、purposes of the present document, the following abbreviations apply: A Audio ARQ Admissions ReQuest ACF Admissions ConFirmARJ Admissions Reject A/V Audio/Video D Data DRQ Disengage Request DCF Disengage Confirm IP Internet ProtocolLRQ Location Request LCF Location Confirm QoS Quality of Service SCN
23、Switched Circuit Networks 4 Security test strategy Security testing should be performed after a vendor has completed product and system testing with the ETSI testing standards. The basic idea for security testing is to show the generation and insertion of the security bits into the specific paramete
24、rs of the H.323 5 messages. Because this mechanism is exactly the same on the senders and the receivers side, no distinction is necessary. To test entities for their implementation of security two entities (that are already interworking) need to be connected. In the case of an incorrect security inf
25、ormation it is necessary to go into the detail of the generation of the security bits. In order to be able to determine the reason for this failure the security tests strategy is just to look at the different steps of the generation and insertion of the security bits into the protocol elements. This
26、 is the only way to determine the failure. The Security testing shall be performed for the following configurations: Signalling path: - Gatekeeper and Terminal; - Gatekeeper and Gateway; - Gatekeeper and Gatekeeper. Media path: - Terminal and Terminal; - Terminal and Gateway; - Gateway and Gateway.
27、ETSI ETSI TS 101 888 V4.2.1 (2003-12) 7 Global Service Providers: - BES and TRC; - BES and CH; - BES and CA. The security testing shall be performed in three different parts where the first part deals with the security testing for the signalling path (Terminal, Gatekeeper, Gateway) using annex D of
28、H.235 2. The second part deals with the security aspects for the signalling path equivalent to the first but using annex F of H.235 2 and the media path using H.235. The third part handles the security testing from the BES to the global service providers. 5 H.235 Annex D 5.1 Overview Figure 1 shows
29、the basic steps to be taken at the originating entity and illustrates the procedures specified by Annex D of H.235 2, in particular clauses D.6.3.2 and D.6.3.3. ETSI ETSI TS 101 888 V4.2.1 (2003-12) 8 H.225.0 message CryptoH323Token nestedCryptoToken CryptoHashedToken token Timestamp random algOID g
30、eneral ID OIDs cryptoHashedToken hash value params sendersID DH Default pattern HASHED ASN.1 Encode message H.225.0 message CryptoH323Token 000.0000 Compute hash HMAC SHA1 password Compute SHA1 hash H.225.0 message CryptoH323Token 1 2 3 4 5 6 7 8 9 Figure 1: Stepwise approach for sender Figure 2 sho
31、ws the basic steps to be taken at the receiving side starting with the entire message, decoding, breaking it into pieces and extracting the necessary parts and the final computation/verification step. NOTE 1: The figures just visualize the essential steps as an example and correlate with the print o
32、ut in clause 5.3; in any case, the procedures and description of annex D of H.235 2 take precedence. NOTE 2: The print out in clause 5.4 reflect H.235 V2 with the sendersID used. NOTE 3: The figures and print out reflect a scenario endpoint to gatekeeper; other scenarios and examples are not shown.
33、ETSI ETSI TS 101 888 V4.2.1 (2003-12) 9 NOTE 4: The default pattern is a local value that is being used temporarily when computing the hash value, see clause D.6.3.3.2 of H.235 2. H.225.0 message CryptoH323Token nestedCryptoToken CryptoHashedToken token Timestamp random algOID general ID OIDs crypto
34、HashedToken hash value params sendersID DH RV HASHED Compute hash HMAC SHA1 password Compute SHA1 hash 1 3 10 11b 12 ASN.1 Decode message H.225.0 message CryptoH323Token 2 4 5 6 7 8 11 H.225.0 message CryptoH323Token 000.000 11a 9 Compare/Verify hash values RV 12 Figure 2: Stepwise approach for rece
35、iver ETSI ETSI TS 101 888 V4.2.1 (2003-12) 105.2 Received message The examples shown in clauses 5.2 and 5.3 use the RRQ sent by a Terminal and received at the Gatekeeper. The print out in clauses 5.2 and 5.3 reflects H.235V1, i.e. sendersID is not used. The received RRQ message is given in binary an
36、d with all fields shown. The received binary message part is given and the separate steps shown for the verification. Password = fries SHA1 = 91 27 1C 95 F0 A3 A0 6F 0D 79 75 B1 19 5F A1 28 8A 86 B6 D4 A received RRQ message with embedded Cryptotoken: * * RECEIVE RRQ FROM EP AT GK * * 14:34:12 TPKTC
37、HAN: Address: 14:34:12 TPKTCHAN: 0 TransportAddress = (0) . CHOICE . 14:34:12 TPKTCHAN: 1 . ipAddress = (0) . SEQUENCE 14:34:12 TPKTCHAN: 2 . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:12 TPKTCHAN: 2 . . port = (1720) . INTEGER (065535) 14:34:21 UDPCHAN: New message (channel 0) recv Transpo
38、rtAddress = (0) . CHOICE . 14:34:21 UDPCHAN: 1 . ipAddress = (0) . SEQUENCE 14:34:21 UDPCHAN: 2 . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:21 UDPCHAN: 2 . . port = (1151) . INTEGER (065535) 14:34:21 UDPCHAN: Binary: 14:34:21 UDPCHAN: 00000 0f 80 3a 27 06 00 08 91 4a 00 02 00 08 2b 0c 02 |
39、.:.“J+| 14:34:21 UDPCHAN: 00016 88 53 02 06 01 80 84 01 40 00 08 00 00 00 00 00 |S.| 14:34:21 UDPCHAN: 00032 00 21 72 00 5b 6f 20 00 52 00 07 00 00 fb 38 00 |.!r.o .R8.| 14:34:21 UDPCHAN: 00048 12 fa 68 00 12 c5 19 00 50 6f 20 00 52 00 07 00 |.hPo .R.| 14:34:21 UDPCHAN: 00064 00 fb 38 00 12 fa 68 00
40、 12 00 00 00 00 00 00 00 |.8h.| 14:34:21 UDPCHAN: 00080 00 6c c0 00 50 fb 38 00 12 fa 94 00 12 fa 9c 00 |.l.P8“.| 14:34:21 UDPCHAN: 00096 12 01 ec 00 00 02 36 00 00 00 0e 00 00 02 36 00 |.6.6.| 14:34:21 UDPCHAN: 00112 00 60 76 3d 18 20 ec f3 2e 00 00 00 00 9d b5 72 |.v=. .r| 14:34:21 UDPCHAN: 00128
41、5a 00 50 00 c2 01 ee 00 00 00 00 00 00 ff ff ff |Z.P.| 14:34:21 UDPCHAN: 00144 ff 20 31 20 33 32 31 32 20 1e 00 00 01 00 8b 17 | 1 3212 .| 14:34:21 UDPCHAN: 00160 ca 6a 04 80 01 00 8b 17 ca 6a 04 7f 22 c0 0b 0b |j.j.“| 14:34:21 UDPCHAN: 00176 00 0b 0f 54 65 73 74 20 61 70 70 6c 69 63 61 74 |.Test ap
42、plicat| 14:34:21 UDPCHAN: 00192 69 6f 6e 08 52 41 44 56 69 73 69 6f 6e 00 02 08 |ion.RADVision.| 14:34:21 UDPCHAN: 00208 00 46 c3 56 53 54 39 34 48 54 04 00 35 00 33 00 |.FVST94HT5.3.| 14:34:21 UDPCHAN: 00224 34 00 30 00 33 60 0b 0b 00 0b 0f 54 65 73 74 20 |4.0.3.Test | 14:34:21 UDPCHAN: 00240 61 70
43、 70 6c 69 63 61 74 69 6f 6e 08 52 41 44 56 |application.RADV| 14:34:21 UDPCHAN: 00256 69 73 69 6f 6e 12 2b 80 56 01 74 07 00 08 81 6b |ision.+V.t.k| 14:34:21 UDPCHAN: 00272 00 01 01 45 00 07 00 08 81 6b 00 01 05 c0 3a 22 |.Ek.:“| 14:34:21 UDPCHAN: 00288 62 db 01 29 22 00 53 00 69 00 65 00 6d 00 65 0
44、0 |b.)“.S.i.e.m.e.| 14:34:21 UDPCHAN: 00304 6e 00 73 00 20 00 47 00 61 00 74 00 65 00 6b 00 |n.s. .G.a.t.e.k.| 14:34:21 UDPCHAN: 00320 65 00 65 00 70 00 65 00 72 07 00 08 81 6b 00 01 |e.e.p.e.r.k| 14:34:21 UDPCHAN: 00336 06 00 60 07 89 a6 ee 75 bb 59 c1 a6 ca a4 72 01 |.uYr.| 14:34:21 UDPCHAN: 00352
45、 00 01 00 01 00 01 00 |.| 14:34:21 UDPCHAN: Message: 14:34:21 UDPCHAN: 0 RasMessage = (6502) . CHOICE . 14:34:21 UDPCHAN: 1 . registrationRequest = (4294967185) . SEQUENCE . 14:34:21 UDPCHAN: 2 . . requestSeqNum = (14888) . INTEGER (165535) 14:34:21 UDPCHAN: 2 . . protocolIdentifier = (6) itu-t reco
46、mmendation h 2250 0 2 . OBJECT IDENTIFIER 14:34:21 UDPCHAN: 2 . . nonStandardData = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 3 . . . nonStandardIdentifier = (10964) . CHOICE . 14:34:21 UDPCHAN: 4 . . . . object = (8) iso identified-organization 12 2 1107 2 6 1 . OBJECT IDENTIFIER 14:34:21 UDPCHAN:
47、3 . . . data = (132) .!r.o .R.8.h.Po .R.8.hlP.8.6.6v=. .rZ.P 1 321 =0x014000080000000000002172005b6f2000. OCTET STRING 14:34:21 UDPCHAN: 2 . . discoveryComplete = (0) . BOOLEAN 14:34:21 UDPCHAN: 2 . . callSignalAddress = (1) . SEQUENCE OF 14:34:21 UDPCHAN: 3 . . . * = (6669) . CHOICE . 14:34:21 UDPC
48、HAN: 4 . . . . ipAddress = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 5 . . . . . ip = (4) .j =0x8b17ca6a . OCTET STRING (44) 14:34:21 UDPCHAN: 5 . . . . . port = (1152) . INTEGER (065535) 14:34:21 UDPCHAN: 2 . . rasAddress = (1) . SEQUENCE OF 14:34:21 UDPCHAN: 3 . . . * = (6669) . CHOICE . 14:34:21 UDPCHAN: 4 . . . . ipAddress = (4294967185) . SEQUENCE 14:34:21 UDPCHAN: 5 . . . . . ip = (4) .j =0x8b17ca6a . OCTET ETSI ETSI TS 101 888 V4.2.1 (2003-12) 11STRING (44) 14:34:21 UDPCHAN: 5 . . . . . port = (1151) . INTEGER (065535) 14:34:21 UDPCHAN: 2 . . terminalType = (4294967