Cisco SPA901-UK Provisioning Guide - Page 35

File Encryption, vector, and the actual 256-bit encryption key.

Get Cisco SPA901-UK - Small Business Pro PDF manuals and user guides
UPC - 745883570751
View all Cisco SPA901-UK manuals
Add to My Manuals
Save this manual to your list of manuals

Page 35 highlights

Creating Provisioning Scripts Open Format Configuration File 2 File Encryption An XML configuration profile can be encrypted by using symmetric key encryption, whether or not it is already compressed. The supported encryption algorithm is the American Encryption Standard (AES), using 256-bit keys, applied in cipher block chaining mode. NOTE Compression must precede encryption for the IP Telephony device to recognize a compressed and encrypted XML profile. First generate the XML file, then compress it with gzip, and finally encrypt it. The OpenSSL encryption tool, available for download from various Internet sites, can be used to perform the encryption. Note that support for 256-bit AES encryption might require recompilation of the tool (to enable the AES code). The firmware has been tested against version openssl-0.9.7c. If the file is encrypted, the profile expects the file to have the same format as generated by the following command: # example encryption key = SecretPhrase1234 openssl enc -e -aes-256-cbc -k SecretPhrase1234 -in profile.xml -out profile.cfg # analogous invocation for a compressed xml file openssl enc -e -aes-256-cbc -k SecretPhrase1234 -in profile.xml.gz -out profile.cfg A lower case -k precedes the secret key, which can be any plain text phrase and is used to generate a random 64-bit salt. Then, in combination with the secret specified with the -k argument, the encryption tool derives a random 128-bit initial vector, and the actual 256-bit encryption key. When this form of encryption is used to encrypt a configuration profile, the IP Telephony device must be informed of the secret key value to decrypt the file. This value is specified as a qualifier in the pertinent profile URL. The syntax is as follows, using an explicit URL: [--key "SecretPhrase1234"] http://prov.telco.com/path/profile.cfg This value is programmed by using one of the Profile_Rule parameters. The key must be preprovisioned into the unit at an earlier time. This bootstrap of the secret key can be accomplished securely by using HTTPS. Cisco Small Business IP Telephony Devices Provisioning Guide 34

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
Creating Provisioning Scripts
Open Format Configuration File
Cisco Small Business IP Telephony Devices Provisioning Guide
34
2
File Encryption
An XML configuration profile can be encrypted by using symmetric key
encryption, whether or not it is already compressed. The supported encryption
algorithm is the American Encryption Standard (AES), using 256-bit keys, applied
in cipher block chaining mode.
NOTE
Compression must precede encryption for the IP Telephony device to recognize a
compressed and encrypted XML profile. First generate the XML file, then compress
it with gzip, and finally encrypt it.
The OpenSSL encryption tool, available for download from various Internet sites,
can be used to perform the encryption. Note that support for 256-bit AES
encryption might require recompilation of the tool (to enable the AES code). The
firmware has been tested against version openssl-0.9.7c.
If the file is encrypted, the profile expects the file to have the same format as
generated by the following command:
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out
profile.cfg
# analogous invocation for a compressed xml file
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out
profile.cfg
A lower case –k precedes the secret key, which can be any plain text phrase and
is used to generate a random 64-bit salt. Then, in combination with the secret
specified with the –k argument, the encryption tool derives a random 128-bit initial
vector, and the actual 256-bit encryption key.
When this form of encryption is used to encrypt a configuration profile, the IP
Telephony device must be informed of the secret key value to decrypt the file. This
value is specified as a qualifier in the pertinent profile URL. The syntax is as
follows, using an explicit URL:
[--key “SecretPhrase1234”] http://prov.telco.com/path/profile.cfg
This value is programmed by using one of the Profile_Rule parameters. The key
must be preprovisioned into the unit at an earlier time. This bootstrap of the secret
key can be accomplished securely by using HTTPS.