Cisco SPA2102-AU Provisioning Guide - Page 19

Server Certificates, Client Certificates, Linksys Certificate Chain Structure - an

Get Cisco SPA2102-AU PDF manuals and user guides View all Cisco SPA2102-AU manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

Chapter 1 Provisioning Linksys VoIP Devices Using HTTPS Server and client authentication is performed using public/private key encryption, using certificates containing the public key. Text encrypted with a public key can be decrypted only by its corresponding private key (and vice versa). The SPA supports the RSA algorithm for public/private key cryptography. Certificates are authenticated in the context of a certificate chain. A certificate authority lies at the root of the chain, with all other certificates depending on the root authority for authority. Server Certificates Each secure provisioning server is issued an SSL server certificate, directly signed by Linksys. The firmware running on the SPA clients recognizes only these certificates as valid. The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server certificate not signed by Linksys. This mechanism protects the service provider from unauthorized access to the SPA endpoint, or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the SPA, to gain configuration information, or to use a different VoIP service. Without the private key corresponding to a valid server certificate, the attacker is unable to establish communication with a Linksys SPA. Client Certificates In addition to a direct attack on the SPA, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the SPA configuration profile from the provisioning server. To prevent this kind of attack, each SPA also carries a unique client certificate, also signed by Linksys, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles. Linksys Certificate Chain Structure The combination of server certificates and client certificates ensures the secure communication between a remote SPA and its provisioning server. Figure 1-2 illustrates the relationship and placement of certificates, public/private key pairs, and signing root authorities, among the Linksys client, the provisioning server, and the Linksys certification authority. The upper half of the diagram shows the Linksys Provisioning Server Root Authority, used to sign individual provisioning server certificates. The corresponding root certificate is compiled into all firmware releases at or above 2.0.6, allowing the SPA endpoints to authenticate authorized provisioning servers. Version 3.0 Linksys SPA Provisioning Guide 1-9

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
1-9
Linksys SPA Provisioning Guide
Version 3.0
Chapter 1
Provisioning Linksys VoIP Devices
Using HTTPS
Server and client authentication is performed using public/private key encryption, using certificates
containing the public key. Text encrypted with a public key can be decrypted only by its corresponding
private key (and vice versa). The SPA supports the RSA algorithm for public/private key cryptography.
Certificates are authenticated in the context of a certificate chain. A certificate authority lies at the root
of the chain, with all other certificates depending on the root authority for authority.
Server Certificates
Each secure provisioning server is issued an SSL server certificate, directly signed by Linksys. The
firmware running on the SPA clients recognizes only these certificates as valid. The clients try to
authenticate the server certificate when connecting via HTTPS, and reject any server certificate not
signed by Linksys.
This mechanism protects the service provider from unauthorized access to the SPA endpoint, or any
attempt to spoof the provisioning server. This might allow the attacker to reprovision the SPA, to gain
configuration information, or to use a different VoIP service. Without the private key corresponding to
a valid server certificate, the attacker is unable to establish communication with a Linksys SPA.
Client Certificates
In addition to a direct attack on the SPA, an attacker might attempt to contact a provisioning server using
a standard web browser, or other HTTPS client, to obtain the SPA configuration profile from the
provisioning server. To prevent this kind of attack, each SPA also carries a unique client certificate, also
signed by Linksys, including identifying information about each individual endpoint. A certificate
authority root certificate capable of authenticating the device client certificate is given to each service
provider. This authentication path allows the provisioning server to reject unauthorized requests for
configuration profiles.
Linksys Certificate Chain Structure
The combination of server certificates and client certificates ensures the secure communication between
a remote SPA and its provisioning server.
Figure 1-2
illustrates the relationship and placement of
certificates, public/private key pairs, and signing root authorities, among the Linksys client, the
provisioning server, and the Linksys certification authority.
The upper half of the diagram shows the Linksys Provisioning Server Root Authority, used to sign
individual provisioning server certificates. The corresponding root certificate is compiled into all
firmware releases at or above 2.0.6, allowing the SPA endpoints to authenticate authorized provisioning
servers.