Hey Jan, What you point out is unfortunately quite spot-on. Good news first: Avaya did support H.235.2 with certain extensions that is - to my knowledge - the most secure H.323 deployment I have seen. They did an authenticated DH during the registration phase, and then did an HMAC for all RAS/Q931 messages, and finally AES-based media encryption. This is pretty standard, except for the Q931 authentication which was their extension. Tandberg/Cisco supported the scheme for some time - but not anymore. Most vendors (including aforementioned vendors) have mostly just hoped that the entire industry is going to move to SIP and also placed their bets there, hoping that all the security problems with H.323 authentication would go away. This hasn't happened. The orchestrated effort needed to do something on both the endpoint side and the gatekeeper side meant that none but the biggest vendors can pull this off, the ones who own the end-to-end solution. Finally, customers are mostly unaware. Even if they are, they are not knowledgeable enough to really get a feeling for how bad the placebo security is. One can only speculate how the telepresence deployment in the UN was spied on (http://www.telepresenceoptions.com/2013/08/german_magazine_nsa_decrypted_/) :-) Good luck! ~Hani Mustafa > On 23. sep. 2013, at 12:55, Jan Willamowius <jan@xxxxxxxxxxxxxx> wrote: > > Hi, > > after implementing H.235 media encryption in the GNU Gatekeeper and > H323Plus I am surprised by the false sense of security people have > about their commercial endpoints. > > I have collected my thoughts here along with a suggestion for a partial > fix. > > http://www.gnugk.org/h323-encryption.html > > http://www.gnugk.org/gnugk-tls-tunnel.html > > > How does encryption work for H.323 calls ? > > Most endpoints today have a setting for "AES encryption" and will show some indicator (usually a closed lock) when the current call is being encrypted. Most users take this as a sign that their conversation can not be snooped on. Unfortunately thats not true for many implementations. > > Why so ? AES itself is a very secure algorithm, unless you know the key used for the encryption... > > Virtually all endpoints, use the standard H.235.6 encryption. H.235.6 specifies that a master key is negotiated when the call is established using a Diffie-Hellman exchange. From this master key, the H.245 master in the call creates separate media keys for each logical channel (thats a very good design, so we don't use the master key too often). > > Unfortunately the Diffie-Hellman exchange is easily attacked by a man-in-the-middle and must be protected by separate security measures to be safe. H.323 and H.235 mention TLS or IPSec encryption to secure the signaling channel, but so far I haven't seen any commercial endpoint that actually implements this! > > What does this all mean ? > > Unless you currently encrypt your whole network up to the destination endpoint using IPSec, your AES encryption is only reasonably safe against attackers that use passive listening, but is easily(!) subverted with a man-in-the-middle attack. > > It doesn't take expensive equipment to mount a man-in-the-middle attack, two GNU Gatekeepers working as encryption proxies are enough. I don't want to give a detailed explanation, but its really simple. The harder part is to divert H.323 calls through a listening device, but tampering with BGP routes happens quite often and some attackers might even have direct access to your internet lines. So this danger is quite real. > > What should you do ? > > - Don't stop using AES encryption, make more use of it! At least against passive listening, its a good protection. > > - Check if your endpoint supports TLS encryption. For example use Wireshark, filter by "h225" and if you can see Setup, Alerting and Connect messages for your call, its not encrypted. > > - Ask your vendor why he doesn't support encryption for the signaling channel! > > - Spread the word and help avoiding a false sense of security using current encryption implementations! > > - You can use GnuGk's TLS encryption to at least encrypt H.323 signaling over internet connections that are especially prone to eavesdropping. See this TLS tunnel example: > http://www.gnugk.org/gnugk-tls-tunnel.html > > - If you do come across endpoints that support TLS encryption, please contact me. I'd love to run some interoperability tests. > > - I'm still looking for sponsors to improve the TLS encryption in GnuGk and implement similar in H323Plus. Please contact me. > > > > -- > Jan Willamowius, Founder of the GNU Gatekeeper Project > EMail : jan@xxxxxxxxxxxxxx > Website: http://www.gnugk.org > Support: http://www.willamowius.com/gnugk-support.html > > Relaxed Communications GmbH > Frahmredder 91 > 22393 Hamburg > Geschäftsführer: Jan Willamowius > HRB 125261 (Amtsgericht Hamburg) > USt-IdNr: DE286003584 > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________________ > > List: Openh323gk-developer@xxxxxxxxxxxxxxxxxxxxx > Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-developer > Homepage: http://www.gnugk.org/ ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/