Cisco SPA1001 Administration Guide - Page 63
Using a Mini-Certificate, Generating a Mini-Certificate
View all Cisco SPA1001 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 63 highlights
Chapter 3 Configuring Linksys ATAs Secure Call Implementation • Mini-Certificate (252B) Upon receiving the Caller Hello, the called party responds with a Callee Hello message (base64 encoded and embedded in the message body of a SIP response to the caller's INFO request) with similar information, if the Caller Hello message is valid. The caller then examines the Callee Hello and proceeds to the next step if the message is valid. 2. The caller sends the "Caller Final" message to the called party with the following information: • Message ID (4B) • Encrypted Master Key (16B or 128b) • Encrypted Master Salt (16B or 128b) The Master Key and Master Salt are encrypted with the public key from the called party mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which is an empty message). Using a Mini-Certificate The Linksys ATA Mini-Certificate (MC) contains the following information: • User Name (32B) • User ID or Phone Number (16B) • Expiration Date (12B) • Public Key (512b or 64B) • Signature (1024b or 512B) The MC has a 512-bit public key used for establishing secure calls. The administrator must provision each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The 1024-bit public key of the CA signing the MC must also be provisioned for each subscriber. The CA public key is used by the Linksys ATA to verify the MC received from the other end. If the MC is invalid, the Linksys ATA will not switch to secure mode. The MC and the 1024-bit CA public key are concatenated and base64 encoded into the single parameter . The 512-bit private key is base64 encoded into the parameter, which should be kept secret, like a password. Because the secure call establishment relies on exchange of information embedded in message bodies of SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows the SIP INFO messages to pass through with the message body unmodified. Generating a Mini-Certificate Linksys provides a configuration tool called gen_mc for the generation of MC and private keys with the following syntax: gen_mc ca-key user-name user-id expire-date Where: • ca-key is a text file with the base64 encoded 1024-bit CA private/public key pairs for signing/verifying the MC, such as the following: Document Version 3.1 Linksys ATA Administrator Guide 3-11