Linksys RTP300 User Guide - Page 58

Secure Call Implementation Secure Call Details Looking at the second stage of setting up a secure call in greater detail, this stage can be further divided into two steps. 1. The caller sends a "Caller Hello" message (base64 encoded and embedded in the message body of a SIP INFO request) to the called party with the following information: • Message ID (4B) • Version and flags (4B) • SSRC of the encrypted stream (4B) • Mini-Certificate (252B) Upon receiving the Caller Hello, the called party responds with a Callee Hello message (base64 encoded and embedded in the message body of a SIP response to the caller's INFO request) with similar information, if the Caller Hello message is valid. The caller then examines the Callee Hello and proceeds to the next step if the message is valid. 2. The caller sends the "Caller Final" message to the called party with the following information: • Message ID (4B) • Encrypted Master Key (16B or 128b) • Encrypted Master Salt (16B or 128b) The Master Key and Master Salt are encrypted with the public key from the called party mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which is an empty message). Using a Mini-Certificate The Mini-Certificate (MC) contains the following information: • User Name (32B) • User ID or Phone Number (16B) • Expiration Date (12B) • Public Key (512b or 64B) • Signature (1024b or 512B) The MC has a 512-bit public key used for establishing secure calls. The administrator must provision each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The 1024-bit public key of the CA signing the MC must also be provisioned for each subscriber. Linksys ATA Administration Guide 58