Telesis PX24 IP PBX Business Phone System
Homepage|WiKi|WebPhone|Contact|Search 
 
Design and manufacture IP PBX Business Phone System, Switching System, VoIP Gateway, and Signaling Converter  

AES 256 Media Encryption

Telesis Systems Offering AES 256 Media Encryption

  • Telesis Business Phone Systems:
    • PX24N (Telesis Nano) IP PBX SoHo System
    • PX24M Hybrid IP PBX Business Phone System
    • PX24X Hybrid IP PBX Business Phone System
  • Telesis Switching Systems:
    • X1 Large Capacity TDM - IP Telephony Switch
  • Combined VoIP Gateway and Signaling Converters:
    • Stillink 200
    • Stillink 800
    • Stillink 3200
  • Large Capacity IP PBX for Enterprises
    • Stillink 3200
  • IP Phones
    • Telesis VTS480 Executive IP Video Telephone Set
    • XPhone Softphone PC Edition

VoIP Protocol inTelesis Systems Offering AES 256 Media Encryption

  • H.323
  • xSIP (eXtended SIP)

H.323 and AES 256 Media Encryption

Introduction

All Telesis systems are complete voice communication systems, which combine various TDM interfaces and IP components. They are all-in-one solutions with integrated gatekeeper, softswitch capability, IP-TDM routing (gateway) functions, and numerous IP and traditional system features. Even though the media encrypting algorithm explained here is applicable for H.323 endpoint-to-endpoint connection too, it is recommended for H.323 endpoint-to-gatekeeper connection for further security.

The following paragraphs demonstrate algorithms applied for site-to-site communication in brief, such that:

  • Two Telesis systems in each site
  • Both systems are provided with necessary licenses for the VoIP media security and their parameters are set accordingly.

While voice bridging distant offices over the IP, security of a VoIP call is guaranteed with the encryption of voice according to 256 bit AES (AES-256).

Media can be encrypted with AES 256 among Telesis systems if H.323 protocol is used

Telesis systems support AES 256 media encryption over H.323

Secure Gatekeeper Registration

Two Telesis systems share an account name and a secret, which is the password. One system as an H.323 endpoint registers to the gatekeeper of the other with the shared account name and the password. For the registration, H.225 RAS messages are exchanged between the two Telesis systems according to the H.235 Baseline Security Profile with or without integrity check. The baseline security profile provides basic security for endpoint-to-gatekeeper registration using the secure password-based HMAC-SHA1-96 hashing algorithm.

Baseline authentication

For H.323 endpoint-to-gatekeeper registration, RAS message authentication is according to H.235 Baseline Security Profile standards. This security service supports authentication of selected fields only, but does not provide full message integrity. The authentication-only security profile may be preferable for the messages traversing NAT/firewall devices. Hashing algorithm is the password-based HMAC-SHA1-96.

Baseline integrity

For H.323 endpoint-to-gatekeeper registration, RAS message authentication and integrity is according to H.235 Baseline Security Profile standards. This is a security combining both message integrity and the authentication. Hashing algorithm is the password-based HMAC-SHA1-96.

Encrypting the Media

For encrypting the media, 256-bit Advanced Encryption Standard (AES-256) is used. AES-256 specifies a cryptographic algorithm using a symmetrical block cipher that can process data blocks of 128 bits with 256bit chipher (crypto) key which is agreed by Diffie-Hellman procedure. Audio samples are collected from the codec, they are encrypted, and inserted into the RTP payloads. When the receiving side gets RTP payloads, the decrypting occurs.

A secure contact would be by generating and exchanging shared Diffie-Hellman half-keys. Diffie-Hellman master key for the AES-256 encryption is generated from the combination of the two shared half keys exchanged by two Telesis systems involved in a call.

Diffie-Hellman key exchange

Telesis systems exchange Diffie-Hellman half keys using authentication based on H.235 Baseline Security Profile with or without integrity check. This prevents Man-in-the-Middle (MIM) attacks and communicating systems can be sure with whom they share the Diffie-Hellman half keys. Hash algorithm for H.235 Baseline Security Profile or H.235 Baseline Security Profile with integrity check is HMAC-SHA1-96. Exchange of HMAC-SHA1-96 hashed Diffie-Hellman half keys provides additional security.

Key exchange occurs during H323 call signaling (H.225) messaging between two systems for end-to-end communication. First call signaling message in both direction are used in key exchange. Setup message is used in forward direction. Setup Acknowledge, Call proceeding, Alerting or Connect message can be used in reverse direction. Since, the authentication keyed by the password, which is a secret in two systems, it may be open to MIM attacks if simple passwords are chosen. Telesis systems allow Diffie-Hellman half key exchange provided that a sufficiently long password is selected. In the following cases, the call fails before connect.

  • Authentication failure
  • Authentication but missing half key in Setup message
  • Authentication but missing half key in one of Setup Acknowledge, Call proceeding, Alerting or Connect messages

Summary

Security of VoIP communication between two Telesis systems is ensured with:

  • A sufficiently long password
  • Baseline Security Profile for RAS messaging for H.323 endpoint-to-gatekeeper registration
  • Baseline Security Profile for Call Signaling for secure Diffie-Hellman key exchange. 
  • Exchange of HMAC-SHA1-96 hashed Diffie-Hellman half keys
  • Cipher AES-256

xSIP and AES 256 Media Encryption

xSIP (eXtended SIP) protocol has been developed by Telesis. The main purpose of its development is to make some value-added services in Telesis systems to be applicable for VoIP calls too.

AES 256 is also suppored over xSIP

Telesis xSIP IP telephones connected to a Telesis system. AES 256 media encryption over xSIP


Beyond the comfort and availability of value-added services, xSIP also allows secure communication with utilizing AES-256 media encryption. Telesis Business Phone Systems, TDM-IP Telephony Switches, as well as xSIP Executive IP Telephone Sets (or XPhone Softphone) support AES-256 over xSIP protocol. While voice bridging distant offices over the xSIP, security of a VoIP call is provided by:

  • A Telesis system (where xSIP IP Telephones or XPhone Softphones register) with the necessary encryption license
  • Appropriate firmware (free) installed in the Telesis System
  • Appropriate firmware (free) installed in xSIP IP Telephones
  • Appropriate version of XPhone Softphones (PC, Pocket PC, or Smartphone Edition) 

AES 256 is also supported over xSIP

XPhone softphones connected to a Telesis system. AES 256 media encryption over xSIP

Security of VoIP communication between an xSIP IP Telephone Set (or XPhone Softphone) and a Telesis IP Telephony System is ensured with:

  • Telesis developed protocol: xSIP
  • Proprietary VoIP codecs
  • Intelligent algorithms for authentication
  • Exchange of Diffie-Hellman half keys
  • Cipher AES-256

AES 256 encryption in xSIP components

 

 

 

The perfect combination of various protocols and algorithms protect your conversations

 

Copyright Telesis A.S. 2006-2013
STB Design Services