1、 International Telecommunication Union ITU-T H.235.0TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2014) SERIES H: AUDIOVISUAL AND MULTIMEDIA SYSTEMSInfrastructure of audiovisual services Systems aspects H.323 security: Framework for security in ITU-T H-series (ITU-T H.323 and other ITU-T H.245
2、-based) multimedia systems Recommendation ITU-T H.235.0 ITU-T H-SERIES RECOMMENDATIONS AUDIOVISUAL AND MULTIMEDIA SYSTEMS CHARACTERISTICS OF VISUAL TELEPHONE SYSTEMS H.100H.199 INFRASTRUCTURE OF AUDIOVISUAL SERVICES General H.200H.219 Transmission multiplexing and synchronization H.220H.229 Systems
3、aspects H.230H.239Communication procedures H.240H.259 Coding of moving video H.260H.279 Related systems aspects H.280H.299 Systems and terminal equipment for audiovisual services H.300H.349 Directory services architecture for audiovisual and multimedia services H.350H.359 Quality of service architec
4、ture for audiovisual and multimedia services H.360H.369 Supplementary services for multimedia H.450H.499 MOBILITY AND COLLABORATION PROCEDURES Overview of Mobility and Collaboration, definitions, protocols and procedures H.500H.509 Mobility for H-Series multimedia systems and services H.510H.519 Mob
5、ile multimedia collaboration applications and services H.520H.529 Security for mobile multimedia systems and services H.530H.539 Security for mobile multimedia collaboration applications and services H.540H.549 Mobility interworking procedures H.550H.559 Mobile multimedia collaboration inter-working
6、 procedures H.560H.569 BROADBAND, TRIPLE-PLAY AND ADVANCED MULTIMEDIA SERVICES Broadband multimedia services over VDSL H.610H.619 Advanced multimedia services and applications H.620H.629 Ubiquitous sensor network applications and Internet of Things H.640H.649 IPTV MULTIMEDIA SERVICES AND APPLICATION
7、S FOR IPTV General aspects H.700H.719 IPTV terminal devices H.720H.729 IPTV middleware H.730H.739 IPTV application event handling H.740H.749 IPTV metadata H.750H.759 IPTV multimedia application frameworks H.760H.769 IPTV service discovery up to consumption H.770H.779 Digital Signage H.780H.789 E-HEA
8、LTH MULTIMEDIA SERVICES AND APPLICATIONS Interoperability compliance testing of personal health systems (HRN, PAN, LAN and WAN) H.820H.849 Multimedia e-health data exchange services H.860H.869 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T H.235.0 (01/2014) i Reco
9、mmendation ITU-T H.235.0 H.323 security: Framework for security in ITU-T H-series (ITU-T H.323 and other ITU-T H.245-based) multimedia systems Summary Recommendation ITU-T H.235.0 describes enhancements within the framework of the ITU-T H.3xx-series of Recommendations to incorporate security service
10、s such as authentication and privacy (data encryption). The proposed scheme is applicable to both simple point-to-point and multipoint conferences for any terminals which utilize Recommendation ITU-T H.245 as a control protocol and also to ITU-T H.323 systems that use the ITU-T H.225.0 RAS and/or ca
11、ll signalling protocol. For example, ITU-T H.323 systems operate over packet-based networks which do not provide a guaranteed quality of service (QoS). For the same technical reasons that the base network does not provide QoS, the network does not provide a secure service. Secure real-time communica
12、tion over insecure networks generally involves two major areas of concern authentication and privacy. This Recommendation describes the security infrastructure and specific privacy techniques to be employed by the ITU-T H.3xx-series of multimedia systems. This Recommendation covers areas of concern
13、for interactive conferencing. These areas include, but are not strictly limited to, authentication and privacy of all real-time media streams that are exchanged in the conference. This Recommendation provides the protocol and algorithms needed between the ITU-T H.323 entities. This Recommendation ut
14、ilizes the general facilities supported in Recommendation ITU-T H.245 and as such, any standard which operates in conjunction with this control protocol may use this security framework. It is expected that wherever possible, other ITU-T H-series terminals may interoperate and directly utilize the me
15、thods described in this Recommendation. This Recommendation will not initially provide for complete implementation in all areas and will specifically highlight end-point authentication and media privacy. This Recommendation includes the ability to negotiate services and functionality in a generic ma
16、nner and to be selective concerning cryptographic techniques and capabilities utilized. The specific manner in which they are used relates to systems capabilities, application requirements and specific security policy constraints. This Recommendation supports varied cryptographic algorithms, with va
17、ried options appropriate for different purposes (e.g., key lengths). Certain cryptographic algorithms may be allocated to specific security services (e.g., one for fast media stream encryption and another for signalling encryption). It should also be noted that some of the available cryptographic al
18、gorithms or mechanisms may be reserved for export or other national issues (e.g., with restricted key lengths). This Recommendation supports signalling of well-known algorithms in addition to signalling non-standardized or proprietary cryptographic algorithms. There are no specifically mandated algo
19、rithms; however, it is strongly suggested that end points support as many of the applicable algorithms as possible in order to achieve interoperability. This parallels the concept that the support of Recommendation ITU-T H.245 does not guarantee the interoperability between two entities codecs. Vers
20、ion 4 of Recommendation ITU-T H.235 broke up Recommendation ITU-T H.235 version 3 into a suite of ITU-T H.235.x sub-series Recommendations, and restructures the sub-series. Recommendations ITU-T H.235.8 and ITU-T H.235.9 were added to the suite, other sub-series Recommendations have been extended wi
21、th new functionality (Recommendations ITU-T H.235.3 and ITU-T H.235.5). Recommendation ITU-T H.235.0 contains the ITU-T H.323 security framework with common text and useful general information for all ITU-T H.235.x sub-series Recommendations. ii Rec. ITU-T H.235.0 (01/2014) Appendices IV, V and VI p
22、rovide a mapping of text, figures and tables from Recommendation ITU-T H.235 version 3 (2003), including the subsequent Corrigendum 1 and amendments to the new structure. This revision of Recommendation ITU-T H.235.0 is an enhancement to version 4 to add support for key material with lengths exceedi
23、ng 2048 bits. History Edition Recommendation Approval Study Group Unique ID*1.0 ITU-T H.235.0 2005-09-13 16 11.1002/1000/8592-en 2.0 ITU-T H.235.0 2014-01-13 16 11.1002/1000/12058-en Keywords Authentication, certificate, digital signature, encryption, integrity, key management, multimedia security,
24、security profile. _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. Rec. ITU-T H.235.0 (01/2014) iii FOREWORD The International Telecommunic
25、ation Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff qu
26、estions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendati
27、ons on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation
28、, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability o
29、r applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance
30、 with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or a
31、pplicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to i
32、mplement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by an
33、y means whatsoever, without the prior written permission of ITU. iv Rec. ITU-T H.235.0 (01/2014) Table of Contents Page 1 Scope 1 1.1 Structure of ITU-T H.235.x sub-series Recommendations 2 2 References. 2 3 Terms and definitions . 4 3.1 Terms defined elsewhere 4 3.2 Terms defined in this Recommenda
34、tion . 5 4 Abbreviations and acronyms 6 5 Conventions 7 6 System introduction 8 6.1 Summary . 9 6.2 Authentication 9 6.3 Call establishment security . 10 6.4 Call control (ITU-T H.245) security 10 6.5 Media stream privacy . 10 6.6 Trusted elements . 11 6.7 Non-repudiation 11 6.8 Mobility security 11
35、 6.9 Security profiles 12 6.10 Secured NAT/firewall traversal 12 7 Connection establishment procedures 13 8 Authentication signalling and procedures 13 8.1 Diffie-Hellman with optional authentication 13 8.2 Subscription-based authentication 14 8.3 RAS signalling/procedures for authentication 18 8.4
36、Key management on the RAS channel . 21 9 Asymmetric authentication and key exchange using elliptic curve crypto systems . 21 9.1 Key management 22 9.2 Digital signature . 22 10 Pseudo-random function (PRF) 22 11 Security error recovery . 23 11.1 Error signalling . 23 Annex A ITU-T H.235 ASN.1 25 Ann
37、ex B ITU-T H.324-specific topics 31 Appendix I ITU-T H.323 implementation details . 32 I.1 Implementation examples . 32 Appendix II ITU-T H.324 implementation details . 38 Rec. ITU-T H.235.0 (01/2014) v Page Appendix III Other ITU-T H-series implementation details 39 Appendix IV Section mapping of I
38、TU-T H.235v3Amd1Cor1 to ITU-T H.235v4 sub-series Recommendations 40 Appendix V Figure mapping of ITU-T H.235v3Amd1Cor1 to ITU-T H.235v4 sub-series Recommendations 49 Appendix VI Table mapping of ITU-T H.235v3Amd1Cor1 to ITU-T H.235v4 sub-series Recommendations 52 Bibliography. 53 Rec. ITU-T H.235.0
39、(01/2014) 1 Recommendation ITU-T H.235.0 ITU-T H.323 security: Framework for security in ITU-T H-series (ITU-T H.323 and other ITU-T H.245-based) multimedia systems 1 Scope The primary purpose of Recommendation ITU-T H.235.0 is to provide a security framework for authentication, privacy and integrit
40、y within the current ITU-T H-series protocol framework. The current text of this Recommendation provides details on implementation with ITU-T H.323. This framework is expected to operate in conjunction with other ITU-T H-series protocols that utilize ITU-T H.245 as their control protocol and/or use
41、the ITU-T H.225.0 RAS and/or call signalling protocol. Additional goals in this Recommendation include: 1) Security architecture should be developed as an extensible and flexible framework for implementing a security system for ITU-T H-series terminals and other ITU-T H.323-based systems. This shoul
42、d be provided through flexible and independent services and the functionality that they supply. This includes the ability to negotiate and to be selective concerning the cryptographic techniques utilized and the manner in which they are used. 2) Provide security for all communications occurring as a
43、 result of ITU-T H.3xx protocol usage. This includes aspects of connection establishment, call control and media exchange between all entities. This requirement includes the use of confidential communication (privacy) and may exploit functions for peer authentication, as well as protection of the us
44、ers environment from attacks. 3) This Recommendation should not preclude integration of other security functions in ITU-T H.3xx entities which may protect them against attacks from the network. 4) This Recommendation should not limit the ability for any ITU-T H.3xx-series Recommendation to scale as
45、appropriate. This may include both the number of secured users and the levels of security provided. 5) Where appropriate, all mechanisms and facilities should be provided independent of any underlying transport or topologies. Other means that are outside the scope of this Recommendation may be requi
46、red to counter such threats. 6) Provisions are made for operation in a mixed environment (secured and unsecured entities). 7) This Recommendation should provide facilities for distributing session keys associated with the cryptography utilized. (This does not imply that public-key-based certificate
47、management must be part of this Recommendation.) 8) This Recommendation provides two security profiles that facilitate interoperability. ITU-T H.235.1 describes a simple, yet secure password-based security profile while ITU-T H.235.2 is a signature security profile deploying digital signatures, cert
48、ificates and a public-key infrastructure that overcomes the limitations of ITU-T H.235.1. The security architecture described in this Recommendation, does not assume that the participants are familiar with each other. It does, however, assume that appropriate precautions have been taken to physicall
49、y secure the ITU-T H-series end points. The principal security threat to communications therefore is assumed to be eavesdropping on the network, or some other method of diverting media streams. ITU-T H.323 provides the means to conduct an audio, video and data conference between two or more parties, but does not provide the mechanism to allow each participant to authenticate the 2 Rec. ITU-T H.235.0 (01/2014) identity of the other participants, nor provide the means to make the c