[VOIPSEC] Cisco 7960 (Skinny) with Asterisk

Mohammad Halawah mhalawah at gmx.net
Thu May 4 00:41:29 CDT 2006 

On Tuesday 02 May 2006 15:38, Louis R. Marascio wrote:
> Mohammad,
>
> I should point out that the Cisco 7960 does not support media path
> encryption, only authentication.  You need to obtain a Cisco 7970,
> 7971, 7961, or 7941 if you want to do SRTP.  There is a Cisco
> document on the web that explains this in more detail but I can not
> find the link at the moment.
>
> When a Cisco IP phone is running in encrypted mode it will do a few
> things differently:
>
> 1. When it initiates the TFTP operation on initial boot it will
> attempt to retrieve a Certificate Trust List.  This CTL file
> contains a list of trusted peers, their roles, and related
> certificates.  This file is signed using an Aladdin eToken that has
> been purchased from Cisco.  On this eToken is a Public/Private key
> pair that is rooted in and signed by the Cisco Certificate
> Authority.  The phone will not trust a CTL file that is not signed
> or one that is signed by a private key not rooted in the Cisco CA.
>
> 2. Once the phone downloads and validates the CTL file, it will then
> attempt to retrieve signed configuration files.  These signed
> configuration files are identical to those that would normally be
> fetched from the TFTP server except they are signed as well.  These
> files are signed using a self-signed key pair generated during the
> CCM install.  The phone trusts this self-signed key pair because it
> is included in the CTL file mentioned above.  These configuration
> files contain, among other things, the list of Cisco CallManager
> subscribers that the phone should connect to.
>
> 3. If the phone is able to retrieve valid CTL and configuration
> files it will initiate a TLS connection to the subscriber(s) listed
> in the signed configuration file.  This TLS connection is used to
> transport the SCCP protocol and is typically initiated on port 2443
> to the CallManager; however, this is configurable
>
> 4. Given that the phone is capable of establishing the secure
> signaling path via TLS, CallManager will consider the phone
> "encrypted".  This means, when calls are being setup, CCM will
> include optional parameters in the StartMediaTransmission and
> OpenReceiveChannel messages.  These parameters are the required key,
> salt, and algorithm for transmitting and receiving secure media.  In
> Cisco's world, the algorithm is AES-128. As you would expect,
> CallManager will only negotiate encrypted media if both endpoints
> are encrypted.
>
> There are other layers to this security onion that you may have to
> investigate.  For example, there is a role in Cisco's security
> scheme for a node known as the "Certificate Authority Proxy
> Function".  Cisco has some fairly detailed information in their
> documentation about their overall security architecture that may
> shed some additional light on the subject.
>
> I hope this note helps in your thesis work.
>
> Best regards,
>
> Louis
>
> ---
> Louis R. Marascio
> Metreos Corporation
> t: +1 (512) 687 2005
> m: +1 (512) 964 4569
> e: marascio at metreos.com
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On Behalf Of Mohammad Halawah
> Sent: Monday, May 01, 2006 8:35 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Cisco 7960 (Skinny) with Asterisk
>
> Hi every one,
>
> I am writing my master thesis regarding SRTP interoperability. I
> would like to know how the keys are exchanged (protocol,
> key-length*) between CCM (Cisco callmanager) and Cisco7960 (SCCP v.8
> firmware ) to establish SRTP-ed call. Then to mimic this with
> Asterisk.
>
> The only information I managed to get from Cisco web-site is:
> "Key Manager in CCM derives symmetric "shared secret" (SS)
> keys used by phones for encryption".
>
> In case this keys are distributed through protected (TLS/VPN**)
> Sdescriptions, then the mession is easy.
>
> Best regards,
> Mohammad
> * most likely it's 128-bit (as it was in 2004)
> ** most likely TLS.
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Dear Ken and Louis,

According to this information, Cisco is using "Open-standards" however 
the phone is bundled with "Security Framework" which make 
interoperability almost impossible.

I am grateful for the your fast, informative responses. You saved alot 
of my time, that I will spend studying other venders IP-phones.
 
Kindest regards,
PGP: 60EB 43C9 C29E 9CEB E159 9DE1 7145 54F9 1686 2BB3

More information about the Voipsec mailing list