Patton electronic SmartNode 4110 Series manual Procedure To enable H.235 security on H.323 gateway

H.235v2 Annex D provides H.323 RAS and H.225 message authentication and integrity check thus thwarting any replay and spoofing attacks on H.323 calls. If H.235 is switched on, the following security attacks are thwarted:

•Denial of Service attacks

•Man-in-the-middle attacks

•Replay attacks (replay of recorded messages)

•Spoofing

•Connection hijacking

Among other information such as time stamp, sender and general ID, the H.235 needs a password for crypto token generation. Since this password is intelligible when being configured by means of a Telnet session or dis- played in a running configuration, it is possible to configure an encrypted password, which will be decrypted on the SmartNode. For decryption a master password is needed. Configuration of the master password should not be done over insecure links (links subject to wire-tapping). It is recommended to do so in a secure network (local area network) only (before delivery to the customer).

Henceforth, the H.235 password can be reconfigured securely even over insecure links.

To generate an H.235 encrypted password by means of the master password as key, the password encryption tool is used (‘getcryptopassword.exe’). The usage of the Windows based command line tool is as follows:

getcryptopassword <h235-password> <master-password>

The H.235 password must be a random alphanumeric character string of 1 through 12 characters (e.g. 12ygR34230kG). The master password must be a 32 digit hex number (characters 0-9, a-f). To achieve best encryption security, choose a random value (no repeating character sequences). The tool generates the encrypted H.235 password and the hash of the master password. The encrypted H.235 password is then to be used for remote (over insecure link) configuration of the H.235 password. The hash value of the master pass- word can be used to verify proper configuration of all parameters. The command show h235security displays all H.235 settings including a hash value of the master password. If this value is identical to the hash value out- put by the tool gencryptopassword.exe, the configuration of the master password was successful. Note that this last verification step can be done securely even over insecure links (subject to wire-tapping) since the algorithm used for hash value calculation is a mathematical one-way function (virtually impossible to derive the password from the hash value). To enable H.235 security on H.323 perform the steps described below.

Procedure: To enable H.235 security on H.323 gateway

H.235 configuration

You can control on a per-message-type basis which RAS messages are sent H.235 signed and of which RAS messages the H.235 signature shall be verified. Therefore the commands h235-securityras-auth-int-rxand h235-securityras-auth-int-txhave a new optional parameter that specifies the message type. The new format is:

•[no] h235-security ras-auth-int-rx [<msg>]

•[no] h235-security ras-auth-int-tx [<msg>]