About H.235 encryption algorithms

[20150822 Update] For the record, I didn’t find the right ITU-REC document when I wrote this post, and misguided by a claim of HUAWEI VP9650 which says it has AES256 supported, but when I sending out a call from VP9650, it showed a new DH group DH1536, so I made my conclusion arbitary, DH1536 means AES256, obviously, it’s a terrible mistake.

Planning to upgrade to H.235 encryption from AES128 to AES256, but don’t know where to start.

Did not find a short way to achieve that.

We wished to get some informations about AES256 by capturing some pcap files of some other Video Conference solution providers.

But did not find a device which actually supports H.235 + AES256 feature.

So we returned to the ITU-REC document for more details.  The right ITU-REC should be T-REC-H.235.6-201401-I!!PDF-E.pdf.

Some key steps of implementing H.235.

1. SETUP: Caller send a public key token DHSet of in H.225 SETUP, which includes:

1) halfkey: contains the random public key of one party

2)modsize: contains the DH-prime

3)generator: contains the DH-group

1. Public key token DHSet of in H.225 SETUP
1. Public key token DHSet of in H.225 SETUP

2. CONNECT: Callee generate a private key token by using the public key of caller, and send it back to the caller in its H.225 CONNECT, also including halfkey, modsize and generator.

2. Private key token of DHSet in H.225 CONNECT
2. Private key token of DHSet in H.225 CONNECT

3. TCS: Both caller and callee send their H.245 TCS with H.235 capabilities.

3. Sample H.245 TCS with H.235 capability
3. Sample H.245 TCS with H.235 capability

4. MasterSlave determination

5. Master generate a media key which will be used to encrypt/decrypt the media.

5a. OLC(from master): Open a logical channel with a specified H.235 media, and send to the slaver

H235Key in H.245 OLC
H235Key in H.245 OLC

5b. OLC ACK(from master): Reply the media key to the OLC requester(Slaver)

H235Key in H.245 OLC ACK
H235Key in H.245 OLC ACK

6. Some other H.245 request/indication messages, such as encryptionUpdateRequest, encryptionUpdate.

H.235 encryption related node definitions:

1. The tokenOID in H.225 SETUP and CONNECT message:
1a. H600’s tokenOID
Item0: 0.0.8.235.0.1.5
Item0: 0.0.8.235.0.1.5
Item2: 0.0.8.235.0.3.24
Item3: 0.0.8.235.0.3.43

1b. Huawei MCU’s tokenOID
ProductId: VP9650, versionId: V200R001C02B018SP07 Apr 28 2014 16:15:31+08
1. Public key token DHSet of in H.225 SETUP - HUAWEI-MCU-VP9650 3. Sample H.245 TCS with H.235 capability - HUAWEI-MCU-VP9650
Item0: 0.0.8.235.0.1.5
Item1: 0.0.8.235.0.3.44
Item2: 0.0.8.235.0.3.43
Item3: 0.0.8.235.0.3.24

1c. Huawei TE40’s tokenOID
ProductId: TEx0, versionId: Release 1.1.24.5
Item0: 0.0.8.235.0.3.43
Item1: 0.0.8.235.0.3.24

http://www.oid-info.com/get/0.0.8.235.0.1.5
http://www.oid-info.com/get/0.0.8.235.0.3.24
http://www.oid-info.com/get/0.0.8.235.0.3.43
http://www.oid-info.com/get/0.0.8.235.0.3.44

“T”      {itu-t (0) recommendation (0) h (8) 235 version (0) 2 5} {itu-t (0) recommendation (0) h (8) 235 version (0) 1 5} Used in Procedures I and IA as the baseline ClearToken for the message authentication and replay protection and optionally also for Diffie-Hellman key management as described in D.7.1.
“DH1024” {itu-t (0) recommendation (0) h (8) 235 version (0) 2 43} 1024-bit DH group
“DH1536” {itu-t (0) recommendation (0) h (8) 235 version (0) 3 44} 1536-bit DH group
From chapter D.11 List of object identifiers of <T-REC-H.235-200308-S!!PDF-E.pdf>, P.70-71

[20150822 Update]

Earlier when I wrote this post, I didn’t find the right ITU/T standard(T-REC-H.235.6-201401-I!!PDF-E.pdf).

The information I got was that HUAWEI VP9650 supports AES256, and when I tried to sending out a call on VP9650, I got  to know it supports following DH groups:

Item0: 0.0.8.235.0.1.5
Item1: 0.0.8.235.0.3.44
Item2: 0.0.8.235.0.3.43
Item3: 0.0.8.235.0.3.24

So I made my conclusion arbitarty that DH1536 is our goal: AES256, but turned out I was terribly wrong. (I don’t know why VP9650 sending out max to DH1536 while it claims having AES 256 supported)

DH group - DH1536

2. Media encryption algorithm definitions on H.245 TCS, OLC, OLC ACK,etc:

The most frequently used/seem types are:
2a. AES 128 bit CBC: 2.16.840.1.101.3.4.1.2
2b. DES 56 bit CBC(Voice encryption using DES in CBC mode and 512-bit DH-group): 1.3.14.3.2.7

2.16.840.1.101.3.4.1.1 – id-aes128-ECB
2.16.840.1.101.3.4.1.2 – id-aes128-CBC
2.16.840.1.101.3.4.1.3 – id-aes128-OFB
2.16.840.1.101.3.4.1.4 – id-aes128-CFB
2.16.840.1.101.3.4.1.6 – id-aes128-GCM
2.16.840.1.101.3.4.1.7 – id-aes-CCM
2.16.840.1.101.3.4.1.21 – id-aes192-ECB
2.16.840.1.101.3.4.1.22 – id-aes192-CBC
2.16.840.1.101.3.4.1.23 – id-aes192-OFB
2.16.840.1.101.3.4.1.24 – id-aes192-CFB
2.16.840.1.101.3.4.1.26 – id-aes192-GCM
2.16.840.1.101.3.4.1.27 – id-aes192-CCM
2.16.840.1.101.3.4.1.41 – id-aes256-ECB
2.16.840.1.101.3.4.1.42 – id-aes256-CBC
2.16.840.1.101.3.4.1.43 – id-aes256-OFB
2.16.840.1.101.3.4.1.44 – id-aes256-CFB
2.16.840.1.101.3.4.1.46 – id-aes256-GCM
2.16.840.1.101.3.4.1.47 – id-aes256-CCM

Source : http://www.alvestrand.no/objectid/2.16.840.1.101.3.4.1.html

About DH key exchange:
1. http://baike.baidu.com/view/551692.htm
2. http://www.rosoo.net/a/201507/17349.html
3. Diffie-Hellman, http://www.cryptopp.com/wiki/Diffie-Hellman
4. rfc3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), https://www.ietf.org/rfc/rfc3526.txt
5. Huawei VP9650(which claims having AES256 supported): http://e.huawei.com/cn/related-page/products/enterprise-network/telepresence-video-conferencing/infrastructure/vp9600/TPVC_MCU_VP9600

Add compilation time cost for each source file in make file

Encountered an issue of extreme long time compiling days ago, so we tried to add a time cost output in the Makefile to locate what on earth happened during the compilation.

There are two Makefiles need to be modified, one is Linux based Makefile, another is Android based Makefile

Linux Makefile:

##------------------------------------------------------------------------
## Rules
## Suffix rules
$(SRC_DIR)/%.o: $(SRC_DIR)/%.s
    $(CC) -c -o $@ $(CFLAGS) $<
$(SRC_DIR)/%.o: $(SRC_DIR)/%.cpp
    @now=`date`; echo "==========compile at $${now}"
    $(CC) -c -o $@ $(CFLAGS) $<

or

@echo "Compilation begin at `date`"
@echo Compilation in progress, please wait ...
@sleep 1
@now=`date`; echo "Compilation end at $${now}"

Test Makefile: http://rg4.net/p/tools/add-time-output-to-makefile/common.mk

Android Makefile:
You need to modify NDK common make file, definitions.mk, to archive this, it’s locating at /path-to-ndk/android-ndk-r7c/build/core/definitions.mk

_CC   := $$(NDK_CCACHE) $$($$(my)CXX)

# Jacky, add timestamp to the compile output
# 1) for linux
# NOW := `date`
# 2) for windows
NOW        := %TIME:~0,10%

_TEXT := "Compile++ $$(call get-src-file-text,$1), start at: $$(NOW)"

$$(eval $$(call ev-build-source-file))
endef

Test Makefile: http://rg4.net/p/tools/add-time-output-to-makefile/definitions.mk

A simple guide of starting use EasyRTC

Working on a Loongson(www.loongson.cn) PC, goal is to make it a Meeting Terminal. Because its CPU is MIPS arch, there could be lots of unexpected problems, so the first thought hit us is WebRTC.

This post is the first step to research into this topic.

Continue reading “A simple guide of starting use EasyRTC”

A simple script to sync a forked repository with the source repository

The mechanism is simple like this:

1. Pull/Clone your own repository(which was forked from another repository) to a local PC.
2. Add remote source repository to a tag of the local copy.
3. Do local merge for the two repositories.
4. Resolve the conflications if exists.
5. Commit the local copy to your repository.
6. Done and do some check.

#Sync the forked repository with the original source

#1. First clone the repository of your own.
#Skip this step if you already have a local copy of your own fork repository
git clone https://github.com/jackyhwei/nginx-rtmp-module
cd nginx-rtmp-module

#2. Add remote repository

#Add a tag for your repository and point to the origin source repository
git remote add jackyhwei https://github.com/arut/nginx-rtmp-module

#3. Fetch the newly added tag source
git fetch jackyhwei

#4. Merge the newly fetched source to master
git merge jackyhwei/master

#Manually resolve the conflications if there exists
git commit -m "merged by jackyhwei"

#5. Push the codes to your repository. BTW: git push requires you input your username and password.
git push -u origin master

#6. Check local info
git remote -v  
git branch -a

If you’v made some modification for your own repository, there will be an error like below when you do the push:

Permission denied(publickey).
fetal: The remote end hung up unexpectedly.

It’s because you didn’t add a public key for your repository, use following script to add it:

cd ..
mv .ssh ssh_bak
ssh-keygen #this command will generate a public/private rsa key pair for you.
cd .ssh
ls #there would be two files: id_rsa and id_rsa.pub
vi id_rsa.pub

Copy the contents in id_rsa.pub to your clipboard, and go to the repository administration web page, select the Deploy Keys menu, and Add the deploy key(which is in your clipboard) to it.

Try push again.

Have my blog theme changed

wordpress
I was using PageLines’s Platform theme for over 3 years, I really liked it.
It’s simple, fast, and easy to use.

The only problem is Platform theme does not mobile friendly, it’s sucked when you visit my blog by your smart phone. And this became the root reason of my decision of replacing it with a new theme.

And the new one is Customizr, designed by Press Customizr. Not so freshing as Platform, but seems good to me when I visit my blog by my phone. Wish you’d like it too.

Media Control(Video Picture Fast Update) mechanism for SIP

This question was origined from an experience of conferencing with different meeting terminals, including Polycom, Cisco, Tandburg, Huawei, etc.

In our current implementation of SIP conference, we are using a stream_id tag in the Video Fast Update command to  tell the peer we are requesting an Intra frame for a specific stream. And the stream_id tag value was recorded from the Label attribute of the SDP exchange process.
sip
However, this situation was:
1. Some of the vendors don’t have stream_id in the VideoFastUpdate command, such as CISCO and Tandburg, but if we send a VideoFastUpdate with stream_id tag in it, it doesn’t matter, it can response a 200 OK, only the stream_id value can not be zero, otherwise, it will reply with a 500 error.
2. Polycom does have a stream_id in it, but no matter what circumstances, the stream_id is alway 1.
3. Huawei seems have a same implementation with Kedacom, having a stream_id in it, and the value is coherence with the LABEL tag in the SDP.

Then I turned to the RFC document, RFC5168: XML Schema for Media Control, category: informational, developed by Microsoft, Polycom, Radvision.
The definition is placed in phase 5 of this document:
The Schema Definition

  <?xml version="1.0" encoding="utf-8" ?>

   <xs:schema id="TightMediaControl"
    elementFormDefault="qualified"
     xmlns:xs="http://www.w3.org/2001/XMLSchema">

           <xs:element name="media_control">
               <xs:complexType>
                  <xs:sequence>
                     <xs:element name="vc_primitive"
                                           type="vc_primitive"
                                           minOccurs="0"
                                           maxOccurs="unbounded" />
                     <xs:element name="general_error"
                                           type="xs:string"
                                           minOccurs="0"
                                           maxOccurs="unbounded" />
                  </xs:sequence>
               </xs:complexType>
           </xs:element>

           <!-- Video control primitive.  -->

           <xs:complexType name="vc_primitive">
                   <xs:sequence>
                     <xs:element name="to_encoder" type="to_encoder" />
                      <xs:element name="stream_id"
                                       type="xs:string"
                                       minOccurs="0"
                                       maxOccurs="unbounded" />
                           </xs:sequence>
           </xs:complexType>

           <!-- Encoder Command:
                Picture Fast Update
           -->

           <xs:complexType name="to_encoder">
                   <xs:choice>
                           <xs:element name="picture_fast_update"/>
                   </xs:choice>
           </xs:complexType>

   </xs:schema>

So, as you can see, there is actually a stream_id tag in it. But when I tried to find more about it, nothing was found. Weird enough for a RFC document.

After re-read the full document, found out there was a description which explains the situation:
New implementations are discouraged from using the method described except for backward compatibility purposes. New implementations are required to use the new Full Intra Request command in the RTP Control Protocol (RTCP) channel.

Failed to establish H.460 call through Polycom MCU issue

Details of the issue:

The situation is H600 can establish H.460 calls with most of the GKs around the world, but failed to a Polycom GK.
Allow me to explain the details of this issue:
1. Caller: Group500, callee: H600, GK/MCU: Polycom RMX 2000
2. Group500 sent a call to GK with callModel set to gatekeeperRouted, calling target: H600
3. GK sent H.460 SCI to H600
4. H600 replied SCR to GK
5. H600 established a H.225 TCP connection to the Polycom GK successfully
6. H600 sent facility to GK.
7. Polycom GK shutdown the H.225 TCP connection from H600 actively, and call terminated. Continue reading “Failed to establish H.460 call through Polycom MCU issue”

Students take VR to new heights with feedback-enabled gloves

vr-glovesA couple of engineering students from Rice University is taking virtual reality to the next level with a glove that lets you feel what you’re holding onto.

Much of the news regarding virtual reality is centered around our vision, but what makes reality better than virtual is that it tingles all five of our senses—not just our eyeballs.  Picking up a gun and firing it in real life is totally different from popping an alien in a video game.  The experience heightens when we get a true “3D” experience via gadgets like the Oculus, but that in itself is still an incomplete picture.

To make the VR experience even more exciting, some engineering students at Rice have developed a prototype glove that provide feedback when users interact with the virtual environment.  The glove is equipped with air bladders that expand and contract when fingers interact with the glove’s trigger mechanisms.  It weighs around 350 grams, but most of the glove’s weight is shoved towards the wrist area to give users the sense that it’s light enough to make it not noticeable.

The team says their underlying trigger mechanism is easily adaptable should programmers want to implement its protocol into games and other projects.

Source: Rice University

Nokia, Alcatel-Lucent merger arouses mixed feelings in Finland

Got the break/top news right after went back from the badminton field, what Should I say, Wow. Finally, eventually, Nokia is back, with this big move, looking forward to it’s next step to reveal the confuses in everyone’s mind.

Source: http://news.xinhuanet.com/english/2015-04/15/c_134154436.htm

Continue reading “Nokia, Alcatel-Lucent merger arouses mixed feelings in Finland”

Make VLC player to support play H.264 ES stream file

As I knew, H.264 ES stream file can be played back by CorePlayer(Commercial version of MPlayer).
But not VLC Player. But as I was told that someone did use VLC Player to player H.264 ES stream file.
So made some further dig into this issue, turned out the old version of VLC Player does support, while versions later than 1.0 doesn’t by default.
Continue reading “Make VLC player to support play H.264 ES stream file”

UniSVR is shutting down Shanghai office

April 1, 2015, a bright sunny day at Shanghai.
Today is supposed to be a kidding day, however, not got so much April Fool’s Day news as usual, but an astonishing news, UniSVR is going to shut down the Shanghai office in a month.

Sign, lament, or not, UniSVR Shanghai branch will be a history, finally annoncing and revealing the ending of a 15-year-old branch/office, where I participanted along with so much guys/gals there for more than ten years.

Sorry, regret, or not, life should and will go on. I talked with my previous boss, Mars Chen, VP of UniSVR, responsible for product and surveilance product line trategy, just minutes earlier. We did not talk about why, because we all knew it, it’s about business, it’s about life and living, and life always goes on.

Sad, pain, or not, let us all move on. Twelve years ago, the most shocking news was Leslie Cheung(张国荣) left us, it was really sad, and we could do nothing about it. Today, we moved on. One month later, UniSVR Shanghai will be closed, we can do nothing either, we will also move on. Besides this might leave UniSVR a clearer and brighter furture, I’m not saying this because I’m already left UniSVR, but truely from my heart.

And, I do care of UniSVR, although I resigned from UniSVR about two years ago.
I’m still keeping paying close attention to UniSVR.

And, lot’s of things happened in the almost two years.
In the two years, digital surveilance is no longer the tragical product for UniSVR.
In the two years, the bussiness in China mainland was keeping shrinking.
In the two years, lot’s of key employees left, new one came and left.
In the two years, developing work of IoT product, which is considered as the furture of UniSVR, was transfered from Shanghai to Beijing and Hsinchu.
Most importantly, some of us shared our youngness in UniSVR, especially, guys like Michael, Maggie, etc.

And we both knew
In the 15 years, UniSVR was once great not only in the global marketing, but also in China mainland.
In the 15 years, no matter where you sit in the orgnization chart, and no matter he/she worked hard or not, deep down in the heart, every UniSVRer kept fighting for a bright furture for both themself and UniSVR China.

I do feel sorry for myself that I didn’t get a chance to send my best wishes to UniSVR two years ago when I left UniSVR.
Back at that time, I planned myself a lot for the farewell, but the thing is not everything goes as you planned, so I choosed silience, only left a post on my blog, http://rg4.net/archives/455.html.
This time, allow me to speak it sincerely and loudly, God bless UniSVR, wish UniSVR a bright furture.

It seems today is even harder than the day I left UniSVR, it’s definitely a sleepless night for me, though I’m not know what I am thinking about, writing about.

OLC process rule of Avaya MCU 5110

Backgroud:
1. Both H800 and Avaya MCU 5110 support up to H.264 1080P video.
2. Avaya MCU supports 720P video when conferencing with Avaya endpoints(XT1000)
3. H800 Called by(Or calling to) Avaya(RADVision) MCU 5110, the opened video channel can only max to 4CIF.
Continue reading “OLC process rule of Avaya MCU 5110”

Step by step to enable x264 with OpenCL – NVIDIA solution

x264 project added OpenCL video acceleration to it’s implementation early at about 2013(not sure with the date), and my goal here is test the video encoding performance of x264 when with OpenCL video accelerator enabled.

Test hardware environments: HP Pavilion 14
1. Graphic card: NVIDIA GeForce GT730M card.
2. CPU: Intel Core Ivy Bridge i7-3632QM
Continue reading “Step by step to enable x264 with OpenCL – NVIDIA solution”

Google Code is shutting down

Yesterday, got a mail from Google, telling a big announcement about Google Code project, which was started in 2006, and the Google Code service will be shutting down over the coming months, because a lot has changed since 2006, and it’s time to recognize that Google Code’s mission to provide open source project a home has been accomplished by others, such as GitHub and Bitbucket.

Google Code is shutting down

Yes, a lot has changed since 2006. Google accepted the changes, and is going to shut down the Google Code service, like some other services once provided by Google. Great as Google, Google is still a straight learner, knows how to start, knows when to stop. Start is easy, while letting go, moving on is always difficult, but Google made it.

How about you?