[VOIPSEC] Cisco 7960 (Skinny) with Asterisk
Louis R. Marascio
marascio at metreos.com
Tue May 2 14:38:25 BST 2006
I should point out that the Cisco 7960 does not support media path
encryption, only authentication. You need to obtain a Cisco 7970, 7971,
7961, or 7941 if you want to do SRTP. There is a Cisco document on the
web that explains this in more detail but I can not find the link at the
When a Cisco IP phone is running in encrypted mode it will do a few
1. When it initiates the TFTP operation on initial boot it will attempt
to retrieve a Certificate Trust List. This CTL file contains a list of
trusted peers, their roles, and related certificates. This file is
signed using an Aladdin eToken that has been purchased from Cisco. On
this eToken is a Public/Private key pair that is rooted in and signed by
the Cisco Certificate Authority. The phone will not trust a CTL file
that is not signed or one that is signed by a private key not rooted in
the Cisco CA.
2. Once the phone downloads and validates the CTL file, it will then
attempt to retrieve signed configuration files. These signed
configuration files are identical to those that would normally be
fetched from the TFTP server except they are signed as well. These
files are signed using a self-signed key pair generated during the CCM
install. The phone trusts this self-signed key pair because it is
included in the CTL file mentioned above. These configuration files
contain, among other things, the list of Cisco CallManager subscribers
that the phone should connect to.
3. If the phone is able to retrieve valid CTL and configuration files it
will initiate a TLS connection to the subscriber(s) listed in the signed
configuration file. This TLS connection is used to transport the SCCP
protocol and is typically initiated on port 2443 to the CallManager;
however, this is configurable
4. Given that the phone is capable of establishing the secure signaling
path via TLS, CallManager will consider the phone "encrypted". This
means, when calls are being setup, CCM will include optional parameters
in the StartMediaTransmission and OpenReceiveChannel messages. These
parameters are the required key, salt, and algorithm for transmitting
and receiving secure media. In Cisco's world, the algorithm is AES-128.
As you would expect, CallManager will only negotiate encrypted media if
both endpoints are encrypted.
There are other layers to this security onion that you may have to
investigate. For example, there is a role in Cisco's security scheme
for a node known as the "Certificate Authority Proxy Function". Cisco
has some fairly detailed information in their documentation about their
overall security architecture that may shed some additional light on the
I hope this note helps in your thesis work.
Louis R. Marascio
t: +1 (512) 687 2005
m: +1 (512) 964 4569
e: marascio at metreos.com
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Mohammad Halawah
Sent: Monday, May 01, 2006 8:35 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Cisco 7960 (Skinny) with Asterisk
Hi every one,
I am writing my master thesis regarding SRTP interoperability. I would
like to know how the keys are exchanged (protocol, key-length*)
between CCM (Cisco callmanager) and Cisco7960 (SCCP v.8 firmware ) to
establish SRTP-ed call. Then to mimic this with Asterisk.
The only information I managed to get from Cisco web-site is:
"Key Manager in CCM derives symmetric "shared secret" (SS)
keys used by phones for encryption".
In case this keys are distributed through protected (TLS/VPN**)
Sdescriptions, then the mession is easy.
* most likely it's 128-bit (as it was in 2004)
** most likely TLS.
Voipsec mailing list
Voipsec at voipsa.org
More information about the Voipsec