D 13373.08
NOVEMBER 2007
MPS
TANDBERG
MPS
ADMINISTRATOR GUIDE
Built-In Encryption
The TANDBERG MPS has built-in encryption of audio, video and
data for:
H.323 meetings (based on ITU standard H.235 v2&v3)
•
H.320 meetings (based on ITU standard H.233 and H.234)
•
Encryption Mode
The administrator decides, when setting up the conference,
whether or not a conference shall be in encrypted mode or in
unencrypted mode. It is not possible to change the mode when
the conference is active with calls.
Encryption Algorithm
The encryption algorithms used in the TANDBERG system are:
The Data Encryption Standard (DES) with a 56 bits session
•
key
The Advanced Encryption Standard (AES) with a 128 bits ses-
•
sion key
Typical Setup of an Encrypted Call
Although there are some differences between H.323 and H.320,
a typical set-up of an encrypted call can be defined as follow:
Establishment of a common secret key and selection of an
1.
encryption algorithm.
Exchange of keys according to the common secret key and the
2.
selected encryption algorithm.
Start the encryption.
3.
Common Secret Key
The establishment of the common secret key is done through the
computation of a Diffie-Hellman (DH) algorithm. The DH method
uses primes numbers of 512 bits length for DES and 1024 bits
for AES.
Shared Secret Key
The shared secret key is then used as a key for the selected
encryption algorithm, which encrypts the session keys. When
the session key is collected by the remote end, encryption of the
audio, video and data channels can start.
Establishment of Encryption
The encryption will be established automatically when all end-
points in the conference supports encryption, with automatic key
generation (and the conference is set up for encryption mode of
operation).
Encryption Support
Encryption is supported on all bandwidths. Encryption is also
supported for DuoVideo
TF
and H.239.
For an encrypted conference, all endpoints must support AES or
DES encryption.
Encryption Configuration
Encryption is configured when you create a conference or a
conference template from the web interface, see
If Encryption Mode is set to Auto, the TANDBERG MPS accepts
•
both AES and DES encryption.
If Encryption Mode is set to AES, all participants must have
•
AES in order to join the conference.
Scenarios
If a site entering an encrypted conference does not support
•
encryption, a picture will be shown, informing that the confer-
ence requires encryption.
If a site connected to an encrypted conference starts sending
•
unencrypted data, that site will be taken out of the confer-
ence.
If the TANDBERG MPS administrator has forced the MCU to
•
require only e.g. AES encryption then, all participants must
have AES in order to join the conference.
For more information on AES and DES please visit the National
Institute of Standards and Technology at
For more details see the
Whitepaper TANDBERG MCU and IP
and the
Whitepaper TANDBERG Security
documents on
Secure Conference (Encryption)
Miscellaneous
Secure Conference (Encryption)
163
Introduction
Quick
Setup
Using
the MPS
System
Status
System
Configuration
Installation
Gateway
Configuration
MCU
Configuration
Appendices
Main
Technical
Descriptions