Cisco SRP521W-K9-G1 Administration Guide - Page 113

Configuring Voice Configuring Dial Plans 6 • Encrypted Master Salt (16B or 128b) Using a Mini-Certificate The Master Key and Master Salt are encrypted with the public key from the called party mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which is an empty message). The Mini-Certificate (MC) contains the following information: • User Name (32B) • User ID or Phone Number (16B) • Expiration Date (12B) • Public Key (512b or 64B) • Signature (1024b or 512B) The MC has a 512-bit public key used for establishing secure calls. The administrator must provision each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service provider, which acts as the Certificate Authority (CA) of the MC. The 1024-bit public key of the CA signing the MC must also be provisioned for each subscriber. The CA public key is used to verify the MC received from the other end. If the MC is invalid, the call will not switch to secure mode. The MC and the 1024-bit CA public key are concatenated and base64 encoded into the single parameter Mini Certificate. The 512-bit private key is base64 encoded into the SRTP Private Key parameter, which should be kept secret, like a password. (Mini Certificate and SRTP Private Key are configured in the Line pages (1-4). Because the secure call establishment relies on exchange of information embedded in message bodies of SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows the SIP INFO messages to pass through with the message body unmodified. Cisco SRP500 Series Services Ready Platforms Administration Guide (SRP520 Models) 113