Security Update Relating To H.323 And . - Polycom Support
2y ago
73 Views
1 Downloads
293.63 KB
5 Pages
Report/dmca
Download PDF

Transcription

SECURITY OFFICE UPDATE – H.323 and SIP AES Media Encryption –Version 2.0Security Update Relating to H.323 and SIP AES MediaEncryption on Polycom ProductsDATE PUBLISHED: February 9st, 2016OverviewAs more video conference calls are conducted over public networks and public environments,the need to deploy security measures to protect the information discussed in the call rises.Conducting video conferences behind firewalls or over ISDN based networks reduce thepotential for call tapping, although there is still residual risk. Encryption solutions can assist withcall privacy, even when calls are made over the public internet.This document explains the details of Polycom's implementation of H.323 and SIP MediaEncryption using the Advanced Encryption Standard (“AES”), which provides privacy during avideo conference call.Specific details are then also provided for all Polycom Video endpoint and MCU products.Standard EncryptionPolycom products use the Advanced Encryption Standard (“AES”) as approved by the NationalInstitute of Standards and Technology (“NIST”) for encryption of digital information. Whendeployed within communication systems, AES ensures that the information discussed within acall is unintelligible to unauthorized parties that may have tapped into the communicationsystem.AES Media Encryption Technical Notes AES media encryption does not change the MTU (Maximum Transmission Unit)size. The endpoint reduces the payload as needed to comply with the configured

SECURITY UPDATE RELATING TO H.323 AND SIP AES MEDIA ENCRYPTION - FEBRUARY 2016 VERSION 2.0 MTU. Thus, the media payload within packets in an encrypted call will be smallerthan those in an unencrypted call.AES media encryption does not introduce any extra latency.AES media encryption adds between 0-15 bytes of overhead per media packet.Polycom H.323 Media Encryption ImplementationAll currently shipping Polycom H.323 products support media encryption in H.323 calls usingthe mechanisms defined in H.235v3 (equivalently, per H.235.6), using encrypted RTP withnative H.235/H.245 Diffie-Hellman key exchange)1.Table 1 shows the specific details of the support by product. All products have “baseline”support; some products have additional support as listed.ProductAES-128 SupportAES-256 SupportBaseline Support (All Products)Supported(AES-CBC-128)(DH 1024)Not SupportedPolycom HDX (version 3.1.x or later)Supported(AES-CBC-128)(DH 1024)Supported(AES-CBC-256)(DH 2048)Polycom RealPresence Group SeriesSupported(AES-CBC-128)(DH 1024)Supported(AES-CBC-256)(DH 2048)Table 1 - H.323 Media Encryption SupportSee the individual product administrative and user guides for details on how to configure anduse H.323 media encryption (administrative and user guides are available athttp://support.polycom.com in the “DOCUMENTS & DOWNLOADS” area).1Many Polycom legacy systems also have the same baseline H.323 media encryption support, includingViewStation EX/FX/VS4000, V500, VSX (all models), MGC (all models).February 9th, 2016

SECURITY UPDATE RELATING TO H.323 AND SIP AES MEDIA ENCRYPTION - FEBRUARY 2016 VERSION 2.0Verifying secured connectionsPolycom HDX and Polycom RealPresence Group Series endpoints support the display ofan “encryption check code”, which can be used to detect whether a Man-In-The-Middle (MITM)attack is underway in an H.323 call. The check code is displayed in the endpoint call statisticsin the form of a long hexadecimal number. After an encrypted H.323 call has been established,the user at one end reads the check code out loud while a user on the other end verifies it. Ifthe codes match, the call is secure; if they do not match, the Diffie-Hellman key exchange hasbeen compromised and the call should be considered insecure. See the product user guides foradditional details on this mechanism.Polycom SIP Media Encryption ImplementationAll currently shipping Polycom SIP products support media encryption in SIP calls per RFCs3711 (SRTP), 4568 (SDP Security Descriptions for Media Streams) and 6188 (AES-192 andAES-256 usage in SRTP). RFC 4568 key exchange requires the use of TLS as the SIPtransport protocol; media encryption is not available when using SIP/UDP or SIP/TCP. Refer tothe product administration guides for details on how to ensure that TLS is configured as the SIPtransport protocol (configured as part of “Secure Communication Mode” on the RMX; part of the“Local Cluster Signaling Settings” on DMA; configured as the SIP “Transport Protocol” onPolycom endpoints).Table 2 shows the specific details of the support by product. All products have “baseline”support; some products have additional support as listed.ProductAES-128 SupportAES-256 SupportBaseline Support (All Products)Supported(AES CM 128 HMAC SHA1 80)Not SupportedPolycom RealPresence CollaborationServer (RMX )(version 8.1.4 or later)Supported(AES CM 128 HMAC SHA1 80)(AES CM 128 HMAC SHA1 32)Not SupportedPolycom HDX (version 3.1.x or later)Supported(AES CM 128 HMAC SHA1 80)Supported(AES CM 256 HMAC SHA1 80)Polycom RealPresence Group Series(version 4.1 or later)Supported(AES CM 128 HMAC SHA1 80)(AES CM 128 HMAC SHA1 32)Supported(AES CM 256 HMAC SHA1 80)(AES CM 256 HMAC SHA1 32)Table 2 - SIP Media Encryption SupportFebruary 9th, 2016

SECURITY UPDATE RELATING TO H.323 AND SIP AES MEDIA ENCRYPTION - FEBRUARY 2016 VERSION 2.0Key exchange is performed in-band over the TLS-secured SIP signaling channel according toRFC 45682.Media Encryption in SIP calls using TIPPolycom HDX endpoints (version 3.0.2 and later) and Polycom RealPresence CollaborationServer (RMX ) (version 7.6 and later) also support SIP media encryption in calls usingTelepresence Interoperability Protocol (TIP). In addition to the same baseline SRTP mediaencryption support as documented above, these products include support for the following:--IMTC TIP version 7.0 (http://www.imtc.org/downloads/IMTC-MembersTIPv7 Implementation Spec and License 2010r00.pdf)Cisco TIP Endpoint 1.7 Implementation Implementation License with Cisco 1.7 endpoint profile 2010r00.pdf)SRTP-DTLS per RFC 4347, 5764Encrypted Key Transport (EKT) per -01Contact For additional information regarding Polycom product security, contact Polycom Technical Support –either call 1-800-POLYCOM or pport/us/support/documentation/security center.htmlfor the latest information. You might also find value in the high-level security guidance and security newslocated at:http://www.polycom.com/security2Care must be taken to ensure that TLS signaling is used end-to-end within the SIP infrastructure to protect the keyexchange.February 9th, 2016

SECURITY UPDATE RELATING TO H.323 AND SIP AES MEDIA ENCRYPTION - FEBRUARY 2016 VERSION 2.0Revision HistoryRevision 1.0 - Original publicationRevision 2.0 – Updated Content and Formatting: February 9th, 2016 2016, Polycom, Inc. All rights reserved.TrademarksPOLYCOM , the Polycom logo and all names and marks associated with Polycom and Polycom's products are trademarks and/orservice marks of Polycom, Inc. and are registered and/or common law marks in the United States and various other countries. Allother trademarks are property of their respective owners. No portion hereof may be reproduced or transmitted in any form or by anymeans, for any purpose other than the recipient's personal use, without the express written permission of Polycom.DisclaimerWhile Polycom uses reasonable efforts to include accurate and up-to-date information in this document, Polycom makes nowarranties or representations as to its accuracy. Polycom assumes no liability or responsibility for any typographical errors, out ofdate information, or any errors or omissions in the content of this document. Polycom reserves the right to change or update thisdocument at any time. Individuals are solely responsible for verifying that they have and are using the most recent TechnicalBulletin.Limitation of LiabilityPolycom and/or its respective suppliers make no representations about the suitability of the information contained in this documentfor any purpose. Information is provided "as is" without warranty of any kind and is subject to change without notice. The entire riskarising out of its use remains with the recipient. In no event shall Polycom and/or its respective suppliers be liable for any direct,consequential, incidental, special, punitive or other damages whatsoever (including without limitation, damages for loss of businessprofits, business interruption, or loss of business information), even if Polycom has been advised of the possibility of such damages.February 9th, 2016

February 9th, 2016 SECURITY UPDATE RELATING TO H.323 AND SIP AES MEDIA ENCRYPTION - FEBRUARY 2016 VERSION 2.0 Verifying secured connections Polycom HDX and Polycom RealPresence Group Series endpoints support the display of an “encryption check code”, which

Related Books

ARCHIVES & BOOKS RELATING TO SCHOOLS OF ARTS,

ARCHIVES & BOOKS RELATING TO SCHOOLS OF ARTS,

SPECIAL REPORTS RELATING TO THE FEDERAL EMPLOYEES .

SPECIAL REPORTS RELATING TO THE FEDERAL EMPLOYEES .

Process Mining Using BPMN: Relating Event . - BPM Center

Process Mining Using BPMN: Relating Event . - BPM Center

Relating Big Data Business and Technical Performance .

Relating Big Data Business and Technical Performance .

STATUTES AND REGULATIONS RELATING TO THE

STATUTES AND REGULATIONS RELATING TO THE

Information Security Physical and Environmental Security .

Information Security Physical and Environmental Security .

Windows 10 Security Guide - Heimdal Security

Windows 10 Security Guide - Heimdal Security

Information Security IT Security Assessment Questionnaire .

Information Security IT Security Assessment Questionnaire .

Atos High Performance Security, powered by Intel Security .

Atos High Performance Security, powered by Intel Security .

Lyris Listmanager Security Research Security flaws found .

Lyris Listmanager Security Research Security flaws found .

SECURITY PROPOSAL - Hr Security India

SECURITY PROPOSAL - Hr Security India

Extend Security with Juniper Connected Security and ForeScout

Extend Security with Juniper Connected Security and ForeScout

PopularTags

Recent Views