SIST ETS 300 840 E1:2003

SLOVENSKI STANDARD
SIST ETS 300 840 E1:2003
01-december-2003
Telekomunikacijska varnost – Digitalno omrežje z integriranimi storitvami (ISDN) –
Sistem zaupnosti pri avdiovizualnih storitvah
Telecommunications security; Integrated Services Digital Network (ISDN); Confidentiality
system for audiovisual services
Ta slovenski standard je istoveten z: ETS 300 840 Edition 1
ICS:
33.080 Digitalno omrežje z Integrated Services Digital
integriranimi storitvami Network (ISDN)
(ISDN)
33.160.01 Avdio, video in avdiovizualni Audio, video and audiovisual
sistemi na splošno systems in general
SIST ETS 300 840 E1:2003 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ETS 300 840 E1:2003

---------------------- Page: 2 ----------------------

SIST ETS 300 840 E1:2003
EUROPEAN ETS 300 840
TELECOMMUNICATION January 1998
STANDARD
Source: Security Reference: DE/SEC-002307
ICS: 33.020
Key words: ISDN, multimedia, security
Telecommunications Security;
Integrated Services Digital Network (ISDN);
Confidentiality system for audiovisual services
ETSI
European Telecommunications Standards Institute
ETSI Secretariat
Postal address: F-06921 Sophia Antipolis CEDEX - FRANCE
Office address: 650 Route des Lucioles - Sophia Antipolis - Valbonne - FRANCE
X.400: c=fr, a=atlas, p=etsi, s=secretariat - Internet: secretariat@etsi.fr
Tel.: +33 4 92 94 42 00 - Fax: +33 4 93 65 47 16
Copyright Notification: No part may be reproduced except as authorized by written permission. The copyright and the
foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 1998. All rights reserved.

---------------------- Page: 3 ----------------------

SIST ETS 300 840 E1:2003
Page 2
ETS 300 840: January 1998
Whilst every care has been taken in the preparation and publication of this document, errors in content,
typographical or otherwise, may occur. If you have comments concerning its accuracy, please write to
"ETSI Editing and Committee Support Dept." at the address shown on the title page.

---------------------- Page: 4 ----------------------

SIST ETS 300 840 E1:2003
Page 3
ETS 300 840: January 1998
Contents
Foreword .5
1 Scope .7
2 Normative references.7
3 Abbreviations.8
4 Properties of the system specified .8
4.1 Confidentiality.8
4.2 Algorithm specification.8
5 The confidentiality mechanism.9
5.1 Description of operation.9
5.1.1 Controls and indication within the H.221 frame.9
5.1.2 Message formats.10
5.1.2.1 Identifier.10
5.1.2.2 Length (L) .10
5.1.2.3 Bit string.10
5.1.3 Unenciphered ECS channel .11
5.1.3.1 Session exchange blocks.12
5.1.3.2 Initialization vectors .14
5.1.3.3 Error protection of control channel information.14
5.2 Transmission encryption method.14
5.3 Procedure for use of the system.15
6 Encryption of MLP channel .15
Annex A (normative): Encryption algorithms and their parameters.16
A.1 BARAS .16
A.2 IDEA .16
A.3 FEAL .16
A.4 DES .17
Annex B (informative): Encryption and decryption for 2 × B channels .18
Annex C (informative): Audio-visual privacy communication procedure .21
History.24

---------------------- Page: 5 ----------------------

SIST ETS 300 840 E1:2003
Page 4
ETS 300 840: January 1998
Blank page

---------------------- Page: 6 ----------------------

SIST ETS 300 840 E1:2003
Page 5
ETS 300 840: January 1998
Foreword
This European Telecommunication Standard (ETS) has been produced by the Security (SEC) Technical
Committee of the European Telecommunications Standards Institute (ETSI).
The system should support lawful interception of a user's communications in accordance with appropriate
national law. Users of this ETS should seek advice from their national authorities.
Transposition dates
Date of adoption of this ETS: 24 October 1997
Date of latest announcement of this ETS (doa): 30 April 1998
Date of latest publication of new National Standard
or endorsement of this ETS (dop/e): 31 October 1998
Date of withdrawal of any conflicting National Standard (dow): 31 October 1998

---------------------- Page: 7 ----------------------

SIST ETS 300 840 E1:2003
Page 6
ETS 300 840: January 1998
Blank page

---------------------- Page: 8 ----------------------

SIST ETS 300 840 E1:2003
Page 7
ETS 300 840: January 1998
1 Scope
A privacy system consists of two parts, the confidentiality mechanism or encryption process for the data,
and a key management subsystem.
This European Telecommunication Standard (ETS) is based on ITU-T Recommendation H.233 [1] and
describes the confidentiality part of a privacy system suitable for use in narrowband audio-visual services
conforming to ITU-T Recommendations H.221 [2], H.230 [3], H.234 [4], and H.242 [5]. Although an
encryption algorithm is required for such a privacy system, the specification of such an algorithm is not
included in this ETS. The system caters for more than one specific algorithm.
The confidentiality system is applicable to point-to-point links between terminals or between a terminal and
a Multipoint Control Unit (MCU); it may be extended to multipoint working in which there is no decryption
at the MCU, but this outside the scope of this ETS.
2 Normative references
This ETS incorporates by dated and undated reference, provisions from other publications. These
normative references are cited at the appropriate places in the text and the publications are listed
hereafter. For dated references, subsequent amendments to or revisions of any of these publications
apply to this ETS only when incorporated in it by amendment or revision. For undated references the latest
edition of the publication referred to applies.
[1] ITU-T Recommendation H.233: "Confidentiality system for audiovisual services".
[2] ITU-T Recommendation H.221: "Frame structure for a 64 to 1920 kbit/s channel
in audiovisual teleservices".
[3] ITU-T Recommendation H.230: "Frame-synchronous control and indication
signals for audiovisual systems".
[4] ITU-T Recommendation H.234: "Encryption key management and
authentication system for audiovisual services".
NOTE: ITU-T Recommendation H.234 forms the basis of ETS 300 841 [11].
[5] ITU-T Recommendation H.242: "System for establishing communication
between audiovisual terminals using digital channels up to 2 Mbit/s".
[6] ITU-T Recommendation X.208: "Specification of Abstract Syntax Notation One
(ASN.1) Blue Book Fascicle VIII.4".
[7] ISO/IEC 9979 Registration No. 0001 (B-CRYPT).
[8] ISO/IEC 9979 Registration No. 0002 (IDEA).
[9] ISO/IEC 9979 Registration No. 0010 (FEAL).
[10] ISO/IEC 9979 Registration No. 0011 (BARAS).
[11] ETS 300 841: "Telecommunications Security; Integrated Services Digital
Network (ISDN); Encryption key management and authentication system for
audiovisual services".
[12] ITU-T Recommendation Q.939: "Typical DSS 1 service indicator codings for
ISDN telecommunications services".
[13] ISO/IEC 8372: "Information processing -- Modes of operation for a 64-bit block
cipher algorithm".

---------------------- Page: 9 ----------------------

SIST ETS 300 840 E1:2003
Page 8
ETS 300 840: January 1998
3 Abbreviations
For the purposes of this ETS, the following abbreviations apply:
AIM, AIA, VIS control & indication codes (see ITU-T Recommendation H.230 [3])
ASN.1 Abstract Syntax Notation No. 1
BARAS Baseline Algorithm Recommended for use in Audiovisual Systems
BAS Bit Allocation Signal (see ITU-T Recommendation H.221 [2])
CRC4 Cyclic Redundancy Check 4 (see ITU-T Recommendation H.221 [2])
DES Data Encryption Standard
ECS Encryption Control Signal (see ITU-T Recommendation H.221 [2])
FAS Frame Alignment Signal (see ITU-T Recommendation H.221 [2])
FEAL Fast Encryption Algorithm
H.221 "H.221 framing/frame structure" (see ITU-T Recommendation H.221 [2])
IDEA International Data Encryption Algorithm
ILC Identifier, Length, Content
ISDN Integrated Services Digital Network
IV Initialization Vector
L Length parameter
LSB Least Significant Bit
MCU Multipoint Control Unit
MLP "MLP" logical channel (see ITU-T Recommendation H.221 [2])
MSB Most Significant Bit
OFB Output Feedback
SE Session Exchange
SV Starting Variable
4 Properties of the system specified
4.1 Confidentiality
1) Confidentiality is independent of other privacy services provided by the system; keys are provided
by other mechanisms such as that described in ITU-T Recommendation H.234 [4], or may be
manually entered.
2) It is applicable to audio-visual signals framed according to ITU-T Recommendation H.221 [2], at
transfer rates of p × 64 kbit/s where p takes any one value from 1 to 30. In accordance with ITU-T
Recommendation H.221 [2], the frame structure itself is not encrypted.
3) Confidentiality is given to all user audio, video and data transmissions, these signals being
encrypted together under the same key.
NOTE: This currently includes MLP data, according to ITU-T Recommendation H.221 [2],
annex A, though this aspect is for further study.
4) The system is independent of the encryption algorithm used; some algorithms are currently
provided for, and further algorithms could be added.
5) The confidentiality mechanism is capable of working in point-to-point calls, and also in multipoint
calls where decryption is permitted at the MCU (the so-called "trusted MCU").
4.2 Algorithm specification
The specification of algorithms is not included in this ETS, which caters to a wide range of encryption
algorithms. The specifications shall be available elsewhere (see subclause 5.2) and shall contain the
following details:
- lengths of initialization vector and session keys;
- generation of starting variable from initialization vector.

---------------------- Page: 10 ----------------------

SIST ETS 300 840 E1:2003
Page 9
ETS 300 840: January 1998
5 The confidentiality mechanism
5.1 Description of operation
Figure 1 in ITU-T Recommendation H.233 [1] gives a block diagram of a link encryptor. It consists of an
encryptor block and a decryptor block. The encryptor takes in user data and enciphers it to form
enciphered data. The decryptor takes enciphered data and deciphers it to obtain user data.
Connecting the encryptor and decryptor are two channels. One is used to transmit the enciphered user
data. The second is an unenciphered channel known as the Encryption Control Signal (ECS) which is
used to pass control information from the encryptor to the decryptor. Although these two channels are
shown physically separated, in practice they are multiplexed into a single data stream.
Additive-stream encipherment techniques are used (see subclause 5.2).
Keys are provided by other mechanisms and are presented to the confidentiality mechanism as required.
They are used by the encryptor and decryptor synchronously with the data, a load new key flag being sent
via the control channel (see L in subclause 5.1.3).
Data encipherment is controlled from the encryptor: the encryption ON/OFF flag is sent via the control
channel to indicate when data is being enciphered. The decryptor responds to this flag and deciphers data
when requested.
TRANSM ISSION
RECEIVER
SENDER
CHANNEL
KEYS
KEYS
RECOVERED
USER
USER DATA
DATA
ENCIPHERED DATA CHANNEL
ENCRYPTOR
DECRYPTOR
PLAIN DATA CONTROL CHANNEL
INITIALIZATION VECTORS
Figure 1: Block diagram of the link encryption system
5.1.1 Controls and indication within the H.221 frame
To indicate the presence of a confidentiality system within a terminal the Bit Allocation Signal (BAS) code
"Encryption capability" shall be transmitted. If this capability is signalled from both ends of a link, the ECS
channel may be opened in each direction by use of the Encryp-on BAS command; the ECS channel may
be closed using the command Encryp-off, but this shall be preceded by the transmission of the
Encryption-off flag within the channel itself. If a terminal receives the BAS command Encryp-off without
first receiving the Encryption-off flag, the user should be alerted to a possible intrusion or malfunction of
the confidentiality system.
In cases where a ITU-T Recommendation H.221 [2]-framed signal is in use in one direction only, the ECS
channel may be activated without use of the capability mechanism: the mechanism to ensure that the
receiving end is able to decrypt the chosen algorithm, etc. is then outside the scope of this ETS.

---------------------- Page: 11 ----------------------

SIST ETS 300 840 E1:2003
Page 10
ETS 300 840: January 1998
5.1.2 Message formats
The messages used by the encryption system for key distribution and authentication are formatted in a
nested Identifier, Length, Content (ILC) form as described in ITU-T Recommendation X.208 [6]. The
length may be encoded in short form or long form. The indefinite form as defined in ITU-T
Recommendation X.208 [6] will not be used.
The messages described in this recommendation allow the various messages to be identified by the
encryption system. The messages used by the encryption system shall also be identified by the message
system as belonging to the encryption system. The descriptions of the identifiers used by the messaging
system for that purpose are beyond the scope of this recommendation.
A short description of some of the definitions in ITU-T Recommendation X.208 [6] used within this
proposal is given in subclauses 5.1.2.1 to 5.1.2.3.
5.1.2.1 Identifier
An identifier is an octet with the structure shown next.
MSB LSB c Tag class
p Primitive/constructor (0/1)
t Tag
c c p ttttt
The Tag Class defines the type of identifier which will be 10 or 11 (context specific) for the identifiers
defined within this ETS.
The Primitive/Constructor (P) bit indicates whether the content is primitive or whether it is composed of
nested elements.
The 5-bit Tag uniquely defines the identifier (according to its class).
Thus all identifiers in this ETS have the octet form: 1 0 P t t t t t or 1 1 P t t t t t .
1 2 3 4 5 1 2 3 4 5
5.1.2.2 Length (L)
The length specifies the length in octets of the contents and is itself variable in length.
The short form is one octet long and shall be used in preference to the long form when L is less than 128.
Bit 8 has the value zero and bits 7-1 encode L as an unsigned binary number whose Most Significant Bit
(MSB) and Least Significant Bit (LSB) are bit 7 and bit 1, respectively.
The Long form is from 2 to 127 octets long and is used when L is greater than or equal to 128 and less
than 2 to the power 1 008. Bit 8 of the first octet has the value one. Bits 7-1 of the first octet encode a
number one less than the size of the length in octets as an unsigned binary number whose MSB and LSB
are bit 7 and bit 1 respectively. L itself is encoded as an unsigned binary number whose MSB and LSB are
bit 8 of the second octet and bit 1 of the last octet, respectively. This binary number shall be encoded in
the fewest possible octets, with no leading octets containing the value 0.
5.1.2.3 Bit string
A bit string in primitive form has the bits packed eight to an octet and preceded by an octet that encodes
the number of unused bits in the final octet of the contents - from zero to seven - as an unsigned binary
number whose MSB and LSB are bit 8 and bit 1 respectively.

---------------------- Page: 12 ----------------------

SIST ETS 300 840 E1:2003
Page 11
ETS 300 840: January 1998
5.1.3 Unenciphered ECS channel
The confidentiality system requires the use of an unenciphered control channel between encryptor and
decryptor. Only one control channel per link encryption system is required. The same control channel is
used in association with the encryption of the audio, video and any data that may be present.
The content of the ECS channel is structured in blocks of 128 bits, synchronous with the H.221 multiframe
(see figure in ITU-T Recommendation H.233/2 [1]); thus the first bit of the block is bit 8 of octet 17 of
frame number 0 in a multiframe. There are two types of block: Session Exchange (SE) and Initialization
Vector (IV). The information contained within an IV block takes effect from the start of the next multiframe,
and remains effective until another IV has been sent. The ECS channel shall always contain either an IV
block or a SE block.
NOTE: According to some algorithm definitions the same IV may be loaded repeatedly. The
choice as to whether or not to do this would be based on the trade-off between faster
recovery from errors and additional security.
Bit No.
01 23456789 1011 | 12-119 | 120-127
SE Type 0 n n ssssse e 1e1e | message | spare
Bit No.
01 23456789 1011 | 12-107 | 108-127
IV Type 1 n n A C C L s e e e 1e | IV | spare
Figure 2: Control channel blocks
The block contains the following:
1) header (12 bits), consisting of:
- bit 0 to select type:
0 = SE (session exchange);
1 = IV (initialization vector);
- bits 1 and 2 to identify the blocks of a multi-block sequence:
00 for a single block, not followed by related blocks;
01 for block #1 of a sequence of several blocks;
10 for an intermediate block in a sequence;
11 for the last block of a sequence;
- bit 3 of IV-type block to indicate encryption on/off (A): 1 = ON, 0 = OFF;
- bits 4 and 5 of IV-type block to give length of IV (CC):
00 = 64 bits + 32 bits error correction;
01, 10, 11 reserved;
- bit 6 of IV-type block: reserved for key-loading synchronization (L);
- all other bits: spare (s) set to "0";
- bits 8-11: error correction for bits 0-7;
2) SE blocks: 108 bits structured as 9 × (8 information bits + 4 error correction bits);
IV blocks: system Initialization vector or part thereof (64 bits), with error protection (32 bits);

---------------------- Page: 13 ----------------------

SIST ETS 300 840 E1:2003
Page 12
ETS 300 840: January 1998
3) SE blocks: 8 spare bits;
IV blocks: 20 spare bits:
- provide an interval for the system to act upon the information received, and may
also provide for future enhancement.
5.1.3.1 Session exchange blocks
In SE-type blocks, the 116 bits following the 8 + 4 bit header are structured as 9 × (8 + 4) + 8, where the
last 8 bits are not used, and the 9 words are each 8 information bits with 4 error-correction bits. At the
receiver, the information bits (from more than one block if so indicated in the header) are formed into one
stream, consisting of messages on authentication and key management, plus two additional messages
P8, P9 defined below for the algorithm capabilities and commands.
All 12 bits of trailing unused words in the SE block shall be set to zero.
Algorithm capabilities (P8):
Message Name: Here is Decryption-algorithms-available Information (P8)
Message Identifier: 1 1 P t t t t t = 11000000
1 2 3 4 5
Content: [number 3-255][more bytes] where the first byte gives the number of following
bytes. Each set of three bytes indicates an available decryption mechanism
using the values listed under media identifiers, algorithm identifiers, and
Parameter Identifiers listed below. For example, a
...