Industry Video Teleconferencing Profile - VTC001
5.1. Video, communications and control
5.2. Control and Indication signals
5.4. Confidentiality and secure operation, 5.4.1. Technical requirements, 5.4.2. Data encryption standard, 5.4.3. Output feedback mode, 5.4.4. Validation, 5.4.5. Levels of security protection, 5.4.6. Visual indication
Figure 5.1. Block diagram of a sample Type 3 encryption implementation
5.5. Multipoint Control Unit (MCU)
As an option VTUs may provide confidentiality or secure operation. When provided this feature shall follow the specifications of ITU-T H.233 and this section, or it may use external cryptographic devices. For Type 1 (Classified) encryption using external devices, e.g., KG-194, the requirements of Section B.5.4 in Annex B shall apply.
If the confidentiality option is chosen the VTU shall conform with the specifications set forth in ITU-T H.233. ITU-T H.233 offers a choice of encryption methods, including the Data Encryption Standard (DES). The VTU shall be capable of encrypting video, audio, still images and data using DES.
[Editor's note: The 1993 version H.233 has been revised and is considered stable text although not yet approved. It should be considered in this area, especially for the use of the DES algorithm and the 64-bit Output Feedback Mode.]
If the confidentiality option is chosen, DOD users shall have the capability to operate using DES. The need for DES encryption in industry applications is up to the user. Operation using the DES algorithm is defined in FIPS PUB 46-1, Data Encryption Standard. The ITU-T H.233 algorithm identifier for DES, Mode 1 shall be used. The algorithm identifier is:
0 0 0 0 0 0 1 0
msb lsb
A VTU may also be capable of operation in any of the non-DES modes specified in ITU-T H.233. One possible implementation is shown in Figure 5.1.
If the confidentiality option is chosen, DOD users shall have the capability to operate using the DES algorithm and shall use the 64 bit Output Feedback Mode (OFB-64) as defined in FIPS PUB 81, Data Encryption Standard Modes of Operation. The ITU-T H.233 parameter identifier for OFB-64 shall be used. The parameter identifier is:
0 0 0 0 0 0 0 1
msb lsb
The initialization vector shall be 64 bits long.
All DES implementations must be validated by NIST. Software implementations (other than firmware) are not in compliance with this Profile. The following firmware implementations are acceptable: Read-Only Memory (ROM), microcode, Erasable Programmable Read-Only Memory (EPROM), Compact Disk Read-Only Memory (CD-ROM), and Chip implementations.
All VTUs using DES shall follow the security requirements for cryptographic modules as defined in FIPS PUB 140-1, Security Requirements for Equipment Using Data Encryption Standard. FIPS PUB 140-1 describes 4 levels of protection for various aspects including the basic design, module interfaces, authorized roles and services, and physical security. The selection of the appropriate level of protection is beyond the scope of this Profile and is left to the discretion of the user. FIPS PUB 140-1 compliance shall be validated by NIST (assuming NIST has an active validation program at the time of procurement).
VTUs using this clause may optionally provide an external electrical or visual security status signal which can be used by a display device to give a real time visual indication of whether information (audio, video, still image, and all data) transmitted across the network is Type 3 protected, or in the clear.