Technical Description of TANDBERG MCU with software version D3
D12925 Rev. 03
19
4.1.9 Secure Conference (Encryption)
The TANDBERG MCU has built-in encryption of audio, video and data for both H.323
meetings (based on ITU standard H.235) and H.320 (based on ITU standard H.233 and H.234)
meetings. The administrator decides- when setting up the conference- whether or not a
conference shall be in encrypted mode or in unencrypted mode. It is not possible to change the
mode after the conference is set up.
The encryption algorithms used in the TANDBERG system are:
- The Data Encryption Standard (DES) with a 56 bits session key
- The Advanced Encryption Standard (AES) with a 128 bits session key
Although there are small differences between H.323 and H.320, a typical set-up of a secure call
can be defined as follow:
1. Establishment of a common shared secret and selection of an encryption algorithm.
2. Exchange of the keys according to the common shared secret and the selected encryption
algorithm.
3. Start the encryption.
The establishment of the common shared secret is done through the computation of the Diffie-
Hellman (DH) algorithm. The DH method uses primes numbers of 512 bits length for DES and
1024 bits for AES. The shared secret is then used as a key for the selected encryption algorithm
which encrypts "the session keys". When the session is collected by the remote end, encryption
of the audio, video and data channels can start.
The encryption will be established automatically when all endpoints in the conference supports
encryption with automatic key generation (and the conference is set up for encryption mode of
operation).
Encryption is supported for meetings up to 768 kbps and the TANDBERG feature DuoVideo.
Note: For an encrypted conference, all endpoints must support encryption (AES or DES).
- If
encryption mode
is set to
Auto,
the MCU accepts both AES and DES encryption.
- The MCU administrator can also force the MCU to require only e.g. AES encryption. In this
case, all participants must have AES in order to join the conference.
If a site entering an encrypted conference does not support encryption, a picture will be
shown, informing that the conference requires encryption.
If a site connected to an encrypted conference start sending unencrypted data, that site
will be taken out of the conference.