Brkccie 3242

CCIE Voice: Cryptography in Cisco Unified
Communications
BRKCCIE-3242
Andreas Szoldatics, Senior Trainer & Consultant
What Is Covered by This Session?

Impossible to cover all topics about voice security in a two hour session
Session helps to prepare for CCIE Voice exam questions and lab tasks that
relate to Cisco Unified Communications Manager security
Intended for CCIE Voice candidates lacking security experience
Cisco Unified Communications Manager knowledge
is expected
BRKCCIE-3242
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
Threats to Cisco Unified Communications

Introduction to Cryptography
Cisco Unified Communications Manager Security
Summary
Q&A
BRKCCIE-3242
Cisco Public
Threats to Cisco Unified Communications
Examples of Threats Targeting the IP Telephony

System
Loss of Privacy
Loss of Integrity
Deposit
$1000
Deposit
$100
Confidential
Information
Customer
Impersonation
I am Bob, send me
phone calls.
I am the
PSTN,
send me
calls.
BRKCCIE-3242
Loss
of
Dial
Tone
Bank
Denial of Service
Cisco Public
Introduction to Cryptography:
Symmetric vs. Asymmetric Encryption
Symmetric Encryption
$1000
Encryption and
Decryption Key
Encryption and
Decryption Key
Encrypt
Decrypt
$!@#I
$1000
Same (shared) key encrypts and decrypts

Key must be kept secret (sender and receiver)
Fast
Algorithms: 3DES, AES, RC4, Blowfish, etc.
BRKCCIE-3242
Cisco Public
Symmetric Encryption (Cont)

Key Management
Different key for each pair of devices
Keys should be changed frequently (hours to weeks)
Same key must be known by both parties
Usage
Bulk Data Encryption (e-mail, IPsec packets, SRTP, HTTPS, TLS)
Algorithm ExampleAES
Publicly announced by NIST in 2000
Much faster and more efficient than DES/3DES
Used to encrypt signaling (TLS) and media (SRTP)
BRKCCIE-3242
Cisco Public
Asymmetric Encryption
$1000
Encryption
Key
Decryption
Key
Encrypt
Decrypt
%3f7
$1000
Based on key pairs: data encrypted by one key can only be decrypted by other
key
Each entity owns its pair of keys
Only one key (decryption key) must be kept secret
Slow
Algorithms: RSA, ECC, etc.
BRKCCIE-3242
Cisco Public
10
Asymmetric Encryption (Cont)

Key Management
Different key pair for each entity
Keys can be used for longer periods (months to years)
One key must remain secret (private key), the other key must
be known by other entities (public key)
Usage
Low Volume Data (symmetric keys)
Algorithm ExampleRSA
Developed in 1977, public domain since patent expired in 2000
BRKCCIE-3242
Cisco Public
11
Two Ways to Use Asymmetric Encryption

Confidentiality
Sender encrypts data with public key of the receiver

Any sender can generate encrypted message
Senders need to know public key of receiver
Only receiver can decrypt encrypted data
Only receiver knows corresponding private key
Authenticity and Integrity
Sender encrypts data with its own private key

Only sender can generate encrypted (signed) message
Only sender knows its private key
All receivers can decrypt encrypted (signed) message
All receivers need to know corresponding public key of sender
BRKCCIE-3242
Cisco Public
12
Introduction to Cryptography: Hash-Based

Message Authentication Codes (HMAC)
Hash Functions
One-way functions
Generate fixed-length output
(hash, digest or fingerprint)
from arbitrary input data
Impossible to recover hashed data
from digest
Collisions (multiple inputs result in
same hash
output) possible
Fast
Algorithm Examples: MD5, SHA-1,
SHA-2, SHA-3, etc.
BRKCCIE-3242
Data of Arbitrary
Length
Message
~~~~~~~~~~~~~~
~~~~~~~~~~~~
~~~~~~~~~~~
~~~~~~~~~~~~~
Hash
Function
Fixed-Length
Hash
e883aa0b24c09...
Cisco Public
14
No Integrity Provided by Pure Hashing

Only the algorithm has
to be known to create a
valid hashalgorithms
are well known.
Attacker changing the
data can easily create
a new hash.
Receiver cannot detect
the manipulation.
For security, a secret
element has to be added
to the computation.
BRKCCIE-3242
Data
Confirm
Order
Confirm
Order
e8F0s31a...
Hashing
Algorithm
Hashing
Algorithm
e8F0s31a...
Same Hash
Digest?
e8F0s31a...
Hash Digest
Cisco Public
15
Hash-Based Message Authentication Code or

Keyed Hash
Secret key added to provide
authenticity and integrity:
Sender creates hash value from input data
plus locally known key
Sender transmits data plus hash
Receiver creates hash from received data
plus locally known key
Locally created hash must match received
one
Data
Confirm
Order
Secret Key
Confirm
Order
Secret Key
Symmetric Key Nature

Different key for each pair of devices
Keys should be changed frequently (hours
to weeks)
Same key must be known by
both parties
bff6f12a0
Hashing
Algorithm
bff6f12a0
HMAC
(Authenticated
Fingerprint)
Hashing
Algorithm
bff6f12a0
HMAC
Verified
Used for bulk data (IPsec packets,

HTTPS, TLS, SRTP)
BRKCCIE-3242
Cisco Public
16
Digital Signatures
Digital Signatures
Provide authenticity, integrity and non-repudiation
Based on asymmetric cryptographic methods
Senders private key used as signature-generating key
Senders public key used as signature-verification key
Slower than HMAC

Not used for bulk or real-time traffic
Used for device authentication and exchange
of symmetric keys
BRKCCIE-3242
Cisco Public
18
Digital Signatures (Cont)

Purchase Order
$100,000
SHA-1
Hash
Untrusted Network
49eD0e3A7c44.
..
RSA
Encrypt
Signature
Purchase
Order
$100,000
e10d6200aCe
...
Purchase Order
$100,000
RSA
Decrypt
Private
Key of
Signer
BRKCCIE-3242
Public
Key of
Signer
SHA-1
Hash
49eD0e3A7c44...
Same Hash
Digest?
Cisco Public
19
Public Key Infrastructure (PKI)
Key Distribution Issues

Symmetric Keys used by Symmetric Encryption
and HMAC
Frequent key exchange between peers is needed
Confidentiality and authenticity are required for key exchange
Out-of-band exchange does not scale
Public Keys used by Asymmetric Encryption and

Digital Signatures
Public keys need to be distributed to all devices
Authenticity and integrity are required for key exchange
Out-of-band verification or exchange do not scale
BRKCCIE-3242
Cisco Public
21
Symmetric Key Distribution Protected by

Asymmetric Encryption
AES Key
AES Key
User A
User B
RSA
Public Key
of User A
RSA
Private Key
of User B
Symmetric key is generated by one peer

Key is encrypted with the public key of the receiver and sent over the network
Only the receiver can decrypt the message by using its private key
Allows secure automated key distribution of symmetric keys
Relies on knowledge of public keys of all possible peers
BRKCCIE-3242
Cisco Public
22
Public Key Distribution in Asymmetric

Cryptography
All entities have to know public
keys of all other entities.
If automated key exchange is
used, authenticity and integrity
must be provided to avoid
man-in-the-middle attacks
Out-of-band verification does
not scale
PKI can be used to solve
scalability issues
BRKCCIE-3242
User B
User A
Public Key
of User A
Public Key
of User B
Cisco Public
23
PKI as a Trusted Third-Party Protocol

Does not eliminate the need for authenticity and integrity of public
keys (out-of-band verification)
Solves scalability issues
Uses a hierarchical model by adding a trusted introducer
Authenticity and integrity (out-of-band verification) only required between
trusted introducer and each entity
Authenticity and integrity between entities are then guaranteed by trusted
introducer (no out-of-band verification required)
Trusted introducer will then guarantee authenticity and integrity of public
keys of other entities by use of certificates, signed by the introducer
BRKCCIE-3242
Cisco Public
24
PKIGenerating Key Pairs

Trusted
Introducer
Private Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
User B
User A
Public Key
of User A
Public Key
of User B
Private Key
of User A
Private Key
of User B
Every entity, including the trusted introducer, needs to generate

its own public and private key pair
BRKCCIE-3242
Cisco Public
25
PKIDistribution of the Public Key of the Trusted

Introducer
Trusted
Introducer
Private Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
User B
User A
Public Key
of User B
Public Key
of User A
Private Key
of User A
Public Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
Private Key
of User B
Each entity obtains the public key of the trusted introducer and verifies its
authenticity and integrity (out-of-band)
BRKCCIE-3242
Cisco Public
26
PKIRequesting Signed Certificates

Public Key
of User A
Trusted
Introducer
Private Key
of Trusted
Introducer
Public Key
of User B
Public Key
of Trusted
Introducer
User B
User A
Public Key
of User A
Private Key
of User A
Public Key
of User B
Public Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
Private Key
of User B
Each entity submits its public key to the trusted introducer and requests a
certificate
BRKCCIE-3242
Cisco Public
27
PKISigning Certificates
User A
Public Key
of User A
Content
Trusted Introducer
Sign
RSA
Public Key
of User A
Trusted
Introducer
Public Key
of Trusted
Introducer
Public Key of User A

Signed by the
Trusted Introducer
Signing Key
Private Key
of Trusted
Introducer
The trusted introducer verifies the received public key (out-of-band) and
creates a certificate signed with the trusted introducers private key
BRKCCIE-3242
Cisco Public
28
PKIProviding Entities with Their Certificates

Trusted
Introducer
Private Key
of Trusted
Introducer
User A
Public Key of
Trusted
Introducer
Trusted Introducer
Trusted Introducer
Public Key
of User A
Public Key
of User A
Public Key
of User B
Private Key
of User A
Public Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
User B
Public Key
of User B
Private Key
of User B
The trusted introducer sends signed certificates to the entities

BRKCCIE-3242
Cisco Public
29
PKIExchange of Public Keys Between Entities

Using Their Signed Certificates
Trusted Introducer
User A
Public Key
of User A
Trusted Introducer
Public Key
of User B
Public Key
of User A
User B
Public Key
of User B
Untrusted Network
Private Key
of User A
Public Key
of Trusted
Introducer
Public Key
of Trusted
Introducer
Private Key
of User B
Entities can now exchange their public keys by means of their signed
certificates
Signature of a received certificate is verified using the public key of the trusted
introducer. This ensures the authenticity and integrity of the peers public key
BRKCCIE-3242
Cisco Public
30
PKI Entities
Term
Function
CA (Certificate
Authority)
The trusted introducer signing certificates of PKI entities (PKI users)
PKI Users
Devices, users, or applications that want to safely distribute their

public keys
Certificates
Digital form (X.509v3) including the identity of a PKI user, its public
key, and a signature (created by the CA)
Self-signed
Certificates
Sometimes entities issue self-signed certificates:

CA, as the root of a PKI
Entities that are not part of a PKI (not associated with a CA)
but use PKI-enabled applications
Require out-of-band verification
BRKCCIE-3242
Cisco Public
31
X.509v3 Certificates
Certificate Format Version
Version 3
Certificate Serial Number
12457801
Signature Algorithm Identifier

for CA
RSA with SHA-1
Issuer X.500 Name
C = US O = Cisco CN = CA
Start = 04/01/12
Validity Period
Expire = 04/01/17
Subject X.500 Name
C = US O = Cisco CN = CCMCluster001
Subject Public Key Information
756ECE0C9ADC7140...
Extension(s) (v3)
CA Signature
BRKCCIE-3242
2C086C7FE0B6E90DA396AB
Cisco Public
32
PKI Example: SSL in the Internet
Internet Web Server Certificate

Used for sensitive web applications
The web server has a private and a public
key
The web server has a certificate, usually
issued by a public Internet-CA
Internet-CA
Private Key of
Internet-CA
Web Server
Internet-CA
Public Key of
Web Server
Public Key of
Web Server
BRKCCIE-3242
Private Key of
Web Server
Cisco Public
34
Internet Web Browser: Embedded Internet-CA

Certificates
Web browser applications
have Internet-CA
certificates already
embedded (100+)
Eliminates the need to
download and verify the
Internet-CAs certificate
BRKCCIE-3242
Cisco Public
35
Obtaining Authentic Public Key of Web Server

Web Browser
Web Server
Internet-CA
Public Key of
Internet-CA
Verify Signature
Internet-CA
Internet-CA
Public Key of
Web Server
Public Key of
Web Server
Private Key of
Web Server
Internet
Public Key of
Web Server
Public Key of
Web Server
The server passes its certificate to the client at connection startup

The client verifies the certificate using the embedded certificate of the InternetCA that has issued the certificate of the web server
The client extracts the public key of the web server from the certificate
BRKCCIE-3242
Cisco Public
36
Web Server Authentication

Web Browser
Web Server
Random String
Sign
Challenge
Rj@as94i...
RSA
Internet
RSA
Public Key of
Web Server
Response
p2CksD3r...
Private Key of
Web Server
Rj@as94i...
The client sends challenge with random data to the web server
The web server uses its private key to sign the data and sends it back to the client
The client verifies the returned data using the public key of the web server previously
retrieved from the certificate
If returned data matches the sent data, the web server has the correct private key, and
therefore it is authentic
BRKCCIE-3242
Cisco Public
37
Exchange of Symmetric Session Keys

Web Browser
Web Server
Generate
Session Keys
ke4P6d2e...
RSA
Internet
Session Keys
Private Key of
Web Server
RSA
Public Key of
Web Server
Session
Keys
The client generates symmetric session keys for encryption and HMAC algorithms to
provide session protection
The client encrypts the keys using the public key of the web server and sends them to
the web server
The web server (only) can decrypt the session keys using its private key
BRKCCIE-3242
Cisco Public
38
Session Encryption
Web Browser
Data from
Browser
Data from
Browser
Ss199l4...
AES
Web Server
AES
Session Keys
Session Keys
Data from
Server
Internet
Data from
Server
AES
AES
dV46a7...
Packets between web server and client can now be authenticated (using
HMAC, such as keyed SHA-1) and encrypted (using symmetric encryption
algorithms such as AES)
BRKCCIE-3242
Cisco Public
39
Cisco Unified Communications Manager Security:

PKI Topologies Used in Cisco Unified
Communications
PKI Topologies in Cisco Unified Communications

Manager Deployments
Cisco Unified Communication Manager services certificates are
self-signed: CCM, TFTP and
Certificate Authority Proxy Function (CAPF)
Manufacturing Installed Certificates (MICs) on
current Cisco Unified models are signed by
Cisco manufacturing CA
Locally Significant Certificates (LSCs) on 7940,
7960 and current Cisco IP phone models are signed
by CAPF
Secure SRST Certificate signed by external CA
BRKCCIE-3242
Cisco Public
41
Self-Signed Certificates
CCM1
CCM1
Private Key
of CCM1
Private Key
of TFTP
Public Key
of CCM1
Public Key
of TFTP
Public Key
of CCM1
CCM2
Public Key
of TFTP
CCM2
CAPF
CAPF
Private Key
of CCM2
Public Key
of CCM2
TFTP
TFTP
Private Key
of CAPF
Public Key
of CCM2
Public Key
of CAPF
Public Key
of CAPF
Each CallManager service has a self-signed certificate

The TFTP service also has self-signed certificates
If the CAPF is used (needed for LSC), it also has a self-signed certificate
All of them act as their own PKI root
BRKCCIE-3242
Cisco Public
42
Manufacturing Installed Certificates (MIC)

Cisco CA
Cisco CA
Private Key
of Phone
Public Key
of Phone
Issue Certificate
During Production
Public Key
of Phone
Private Key
of Cisco CA
Cisco CA
Public Key
of Cisco CA
Public Key
of Cisco CA
Cisco IP phone models with MICs have a public and a private key pair and MIC for the
phone installed
The certificate of the IP phone is signed by the Cisco manufacturing CA
Cisco manufacturing CA is the PKI root for all MICs
BRKCCIE-3242
Cisco Public
43
Locally Significant Certificates (LSC)

CAPF Acting as a CA
CCM1
CAPF Acting as a Sub-CA

CCM1
CAPF
Enterprise CA
CAPF Enroll
Enroll
Enroll
LSCs can be used on phones with MICs or on Cisco Unified IP Phone 7940
and 7960 models (SCCP only)
They use LSCs issued by the CAPF
The CAPF can be a CA itself (self-signed) or Sub-CA of Enterprise CA
CAPF or external CA is the root for all LSCs
BRKCCIE-3242
Cisco Public
44
Multiple PKI Roots in Cisco Unified

Communications Manager Deployments
CCM1
CCM1
Private Key
of TFTP
Private Key
of CCM1
Public Key
of CCM1
Public Key
of TFTP
Public Key
of TFTP
Public Key
of CCM1
Cisco CA
TFTP
TFTP
MIC
7941
Cisco CA
Public Key
of 7941
LSC
7940
CAPF CA
CAPF
Public Key
of 7940
No single root but multiple independent PKI topologies

All need to be known and trusted (out-of-band verification)
Cisco Certificate Trust List (CTL) allows verification of roots
BRKCCIE-3242
Cisco Public
45

Cisco Certificate Trust List (CTL)
CTL Client Signs CTL

CCM1
Signed List of Certificate Issuers
CCM1
Cisco CTL Client
TFTP
CCM1
Private Key
of Cisco
Cisco CA
CTL Client
Public Key
of TFTP
Public Key
of CCM1
Cisco CA
CAPF
Public Key Public Key

of Cisco
of Cisco
CTL Client CTL Client
Public Key
of Cisco
CTL Client
Public Key
of CAPF
Public Key
of CCM1
TFTP
TFTP
Public Key
of TFTP
CAPF
Cisco CTL Client
CAPF
Public Key
of CAPF
Obtains certificates of all certificate-issuing instances (PKI roots)

Creates a list (CTL) containing all obtained certificates and signs the list
Cisco CTL client keys physically stored on a security token
BRKCCIE-3242
Cisco Public
47
CTL Download
Cisco CTL Client
TFTP
CCM1
Public Key
of TFTP
Public Key
of CCM1
Cisco CA
TFTP
Public Key
of Phone
Private Key
of Phone
Cisco CA
Public Key
of Phone
Public Key
of Cisco
CTL Client
The CTL is sent to the IP phones over TFTP at boot

The CTL contains all entities that issue certificates
The IP phone now knows which issuers are trusted
Similar to Internet browser embedded Internet-CA certificates
BRKCCIE-3242
Cisco Public
48
Cisco CTL Client Application

Cisco CTL client software is used to create or
update the CTL
The CTL is signed by Cisco CTL client using
the private key from one of the administrator
security tokens, which are all signed by the
Cisco CA
The CTL file must be updated only if Cisco
Unified Communications Manager services or
security tokens change
The CTL also acts as an authorization list
specifying
which certificates belong to
which function (such as Cisco Unified
Communications
Manager and TFTP)
BRKCCIE-3242
Security Token
Cisco Public
49
CTL Verification on the IP Phone

Existing CTL on the Phone
Cisco CTL Client
Cisco CTL Client

TFTP
CCM1
Public Key
of TFTP
Public Key
of CCM1
Cisco CA
CCM2
Cisco CA
Public Key
of Cisco
CTL Client
Public Key
of CCM2
Public Key
of Cisco
CTL Client
TFTP
New CTL
over TFTP
Public Key
of TFTP
CCM1
Public Key
of CCM1
Every time the IP phone receives a new CTL, it is verified

New CTL must be signed by one of the authorized security tokens (listed in the IP
phones current CTL file)
If no CTL file is present in phone, new CTL is not verified (initial deployment or after
erasing the CTL from the IP phone)
BRKCCIE-3242
Cisco Public
50
IP Phone Usage of the CTL

Encrypted Signaling (CallManager Service Certificate)
SCCP or SIP over TLS
Certificate-based two-way authentication between IP phone and Cisco Unified Communications
Manager
IP phone verifies self-signed Cisco Unified Communications Manager certificate against CTL
LSC Enrollment (CAPF Certificate)

Protected by TLS
Certificate-based authentication of CAPF to IP phone
IP phone verifies self-signed CAPF certificate against CTL
Signed IP Phone Configuration Files (TFTP Server Certificate)

TFTP file is signed by private key of TFTP server
IP phone needs to know authentic public key of TFTP server
Signed CTL File (CTL Client Certificate)

CTL file is signed with private key of a security token
Corresponding public key must be known in current CTL
BRKCCIE-3242
Cisco Public
51

Signed and Encrypted Configuration Files
Signed IP Phone Configuration Files

Image.bin.sgn
Config1.xml.sgn
Config2.xml.sgn
Config3.xml.sgn
TFTP
Server
XML
Configuration
File
TFTP
Public Key
of TFTP
Signature of
TFTP Server
Config2.xml.sgn
TFTP
Configuration files signed by the TFTP server (using its private key)
Phone verifies signature before applying configuration (using corresponding
public key from CTL)
Automatically done for supported IP phones when security mode is enabled for
cluster
Prevents falsification of phone configuration files
BRKCCIE-3242
Cisco Public
53
Encrypted IP Phone Configuration Files

Image.bin.sgn
Config1.xml.sgn
Config2.xml.sgn
Config3.xml.sgn
TFTP Server
XML Configuration
File with Encrypted
Content
Symmetric Key
Used for
Encryption and
Decryption
Config2.xml.sgn
TFTP
Configuration file encrypted by TFTP server

Phone decrypts configuration file before applying configuration
Two ways to manage key used for encryption (symmetric)
TFTP server encrypts the symmetric key using the IP phones public key (for supported phones)
and appends it to the configuration file
Manually entered keys used for IP phones that do not support public and private keys (7905/7912
writeable web; 7940/7960 [SIP only]: UI)
Prevents exposure of sensitive phone configuration settings

BRKCCIE-3242
Cisco Public
54

Secure Signaling
Certificate Exchange in TLS

Phone Hello
CallManager Hello
CallManager Certificate
Certificate Request
Phone Certificate
TLS hellos are used to negotiate attributes of the TLS session (one or two-way
certificate exchange, encryption and HMAC algorithms, key lengths, etc.)
Certificates are exchanged
Certificates are then validated
BRKCCIE-3242
Cisco Public
56
Server-to-Phone Authentication
Phone Hello
CallManager Hello
Certificate Request
Phone Certificate
Challenge1
Response1
The IP phone sends a challenge to the server containing random data to be

signed by the server
The server signs the random data with its private key and returns the signed
data to the IP phone
The IP phone verifies the signature using the public key of the server
Prevents impersonation of server
BRKCCIE-3242
Cisco Public
57
Phone-to-Server Authentication
Phone Hello
CallManager Hello
Certificate Request
Phone Certificate
Challenge1
Response1
Challenge2
Response2
The server sends a challenge to the IP phone containing random data to be signed by the IP
phone
The IP phone signs the random data with its private key and returns the signed data to the
server
The server verifies the signature using the public key of the IP phone
Prevents impersonation of IP phone
BRKCCIE-3242
Cisco Public
58
TLS SHA-1 and AES Session

Key Exchange
Phone Hello
CallManager Hello
Certificate Request
Phone Certificate
Challenge1
Response1
Challenge2
Response2
Key Exchange
The IP phone generates session keys for SHA-1 and AES, encrypts them using the public key
of the server and sends the encrypted keys to the server
The server decrypts the keys
IP phone and server now share secret keys
BRKCCIE-3242
Cisco Public
59
Secure Signaling Using TLS
TLS
SHA-1
AES
SCCP
or SIP
SHA-1
AES
Symmetric keys shared by IP phone and server are used to protect signaling
message (SCCP or SIP) using authenticated and encrypted TLS packets
Prevents falsification and eavesdropping of signaling messages
BRKCCIE-3242
Cisco Public
60

Secure Real-time Transport Protocol (SRTP)
SRTP Packet Format

V
P X CC M
PT
Sequence Number
Time Stamp
Synchronization Source (SSRC) Identifier
Contributing Sources (CSRC) Identifier
...
RTP Extension (Optional)
RTP Payload
SRTP MKI0 Bytes for Voice
SHA-1 Authentication Tag (Truncated Fingerprint)
Encrypted Data
BRKCCIE-3242
Authenticated Data
Cisco Public
62
SRTP Encryption
Voice
Voice
AES
AES
AES Key
74liz22U
AES Key
Encrypted Voice
74liz22U
74liz22U
The sender encrypts the RTP payload using the AES algorithm and a symmetric key
The receiver uses the same key to decrypt the RTP payload
Prevents eavesdropping of conversation
BRKCCIE-3242
Cisco Public
63
SRTP Authentication
Voice or
Encrypted
Voice
Voice or
Encrypted
Voice
+
SHA-1 Key
+
SHA-1 Key
SHA-1
SHA-1
32-bit Truncated
Hashes Equal?
s197i
Voice or
Encrypted
Voice
s197i
s197i
The sender hashes the RTP payload together using the SHA-1 algorithm and a symmetric key
The hash digest is truncated to 32 bits and added to the RTP packet
The receiver uses the same key for a local computation of the truncated hash and compares it against
the received one
Prevents falsification of RTP packets
BRKCCIE-3242
Cisco Public
64
SRTP in Cisco Unified Communications

Intra-cluster SRTP is supported by
Cisco IP phones using SCCP and SIP
MGCP, H.323, and SIP gateways
Inter-cluster SRTP is supported since Cisco Unified Communications Manager

SRTP session keys (symmetric keys used for truncated HMAC and AES) are generated by
Cisco IP phones (SIP)
Cisco Unified Communications Manager
Symmetric keys are exchanged in signaling messages

Secure signaling is required for key protection
Authenticated and encrypted signaling is mandatory for Cisco IP phones (SCCP and SIP) when using
SRTP
MGCP, H.323, SIP, Cisco Unified Communications Manager intra- and inter-cluster signaling are NOT
secured by default
IPsec should be used to protect keys in signaling messages if signaling is not natively secured
BRKCCIE-3242
Cisco Public
65

IPsec
IPsec
Network layer based security
Applicable for any sensitive traffic that is not protected by applications themselves
Especially important when cryptographic keys are sent in clear textlike SRTP keys in
signaling messages
Server-to-server intra-cluster signaling

Inter-cluster trunk signaling
Signaling to H.323 gateways
Signaling MGCP gateways
Supported features since Cisco Unified Communications Manager 5

ESP only, no AH
Pre-shared keys or X.509 certificates
Recommended to be used on network infrastructure devices

Prevents impersonation of IPsec peers
Prevents falsification and eavesdropping of protected IP packets
BRKCCIE-3242
Cisco Public
67
IPsec Scenarios in Cisco

Unified Communications
Cisco Unified
Communications Manager
TLS
H.323
IP Phone
H.323
Gateway
SRTP
Cisco Unified
TLS
MGCP
IP Phone
SRTP
Cisco Unified
TLS
IP Phone
BRKCCIE-3242
Recommendation: Use
closest-possible network
infrastructure device
instead of Cisco Unified
Communications
Manager
MGCP
Gateway
Cisco Unified
inter- or intra-cluster
SRTP
TLS
IP Phone
Cisco Public
68

Secure Survivable Remote Site Telephony (SRST)
Secure SRST
TLS
IP Phone
SRTP
TLS
Secure
SRST
IP Phone
Allows Cisco IP phones to use TLS for signaling and SRTP for
media when in SRST mode
Prevents impersonation of SRST gateway and IP phones
Prevents falsification and eavesdropping of signaling and
RTP packets
BRKCCIE-3242
Cisco Public
70
PKI Topology with Secure SRST

Certificate Trust List (CTL)
Cisco CA
MIC
CA
CAPF TFTP CCM
LSC
SRST Certificate
SRST
IP Phone
Phones have certificates (MIC and/or LSC) and CTL
The SRST gateway obtains a certificate from any (external) CA
BRKCCIE-3242
Cisco Public
71
Trust Requirements with Secure SRST

IP phones must be able to verify Secure SRST gateway certificate (issued by
any external CA)
Secure SRST gateway certificate is not verified by its signature (using public key
of issueing CA)
Secure SRST gateway certificate is obtained by Cisco Unified Communications
Manager at configuration time (using the credential service at the gateway)
Manual verification is requested at configuration time
Cisco Unified Communications Manager adds received (and manually verified)
certificate to phone configuration files
Secure SRST gateway must be able to verify IP phone certificates

IP phone certificates are signed by either CAPF (LSC) or Cisco Manufacturing
CA (MIC)
CAPF and Cisco Manufacturing CA certificates are added manually to
Secure SRST gateway
BRKCCIE-3242
Cisco Public
72
Secure SRSTCertificate Import: Cisco Unified

Imports certificate from the Secure SRST gateway over the network
Manual certificate fingerprint verification required
BRKCCIE-3242
Cisco Public
73
Secure SRSTCertificate Import:

Secure SRST Gateway
Certificates of entities that
signed phone certificates
(CAPF, Cisco
Manufacturing CAs) are
added manually
srst(config)#crypto pki trustpoint CAPF

srst(ca-trustpoint)# enrollment terminal
srst(ca-trustpoint)# revocation-check none
srst(ca-trustpoint)#exit
srst(config)#crypto pki authenticate CAPF
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
(paste the certificate)
:
quit
Certificate has the following attributes:
Fingerprint MD5: F7E150EA 5E6E3AC5 615FC696 66415C9F
Fingerprint SHA1: 1BE2B503 DC72EE28 0C0F6B18 798236D8 D3B18BE6
% Do you accept this certificate? [yes/no]: y
Trustpoint CA certificate accepted.
% Certificate successfully imported
BRKCCIE-3242
Cisco Public
74
Certificate Usage in Secure SRST

TFTP
SRST
Certificate
Obtained from Gateway
Credentials Service during Configuration
and added to IP Phone Configuration Files
Configuration
File (signed)
Compare
Certificates
SRST
Certificate
SRST Certificate
(signed by any CA)
Manually entered
SRST
Certificate
SRST
TLS Two-way Certificate

Exchange
LSC signed by CAPF
Check
LSC signed by CAPF

MIC signed by Cisco CA
or
IP Phone
MIC signed by Cisco CA
CAPF Certificate
Cisco CA
Certificates
Certificates
Signature
IP phone verifies received SRST gateway certificate against the one in its
configuration file
SRST gateway checks received IP phone certificates signature using public key of
issuer (Cisco CA or CAPF)
BRKCCIE-3242
Cisco Public
75

Security by Default and Initial Trust List (ITL)
Security by Default Overview

Provides security features
without requiring the CTL client
and security tokens:
Signed phone configuration
files
Encrypted phone configuration
files
HTTPS with Tomcat and other
Web services (Midlets)
BRKCCIE-3242
Solves several issues:

Scalability: size of CTL file to
be stored in phones
Flexibility: no need to create
new CTL file on every change
Granularity: separates
signaling and media security
from other security features
(configuration file protection,
HTTPS)
Cisco Public
77
Security By Default Components

Trust Verification Service (TVS) runs on each
Cisco Unified Communications Manager server
Authenticates certificates on behalf of the phone
Instead of downloading all the trusted certificates,
phones need only to trust TVS
TVS certificates and a few key certificates are

bundled in a new file, Initial Trust List (ITL) file
The ITL file gets generated and updated
automatically without user intervention
Signed by private key of TFTP server
BRKCCIE-3242
Cisco Public
78
Initial ITL File Download

TFTP Server
TFTP Server signs

ITL file
IP Phone
downloads ITL
file from TFTP
server.
Initial download of the ITL file is not

secure
Vulnerable to man-in-the-middle
attacks
Should take place in a trusted
environment.
2
IP phone requests
ITL file from TFTP
Server at boot time
BRKCCIE-3242
Cisco Public
79
Signed and Encrypted Configuration File Download

and Phone Registration
TFTP Server
Cisco Unified
Communications
Manager cluster with
TVS servers
TFTP server
sends the signed
and encrypted
configuration file
Phone requests
configuration file from
TFTP server
3
BRKCCIE-3242
Phone registers at
Cisco Unified
Communications
Manager
IP phone authenticates signature of configuration

file using the public key of TFTP-Server certificate
existing within ITL file
Cisco Public
80
Authentication of Secure IP Phone Services

Application Server
4. Phone requests
TVS to validate
received
certificate
2. Server sends
its certificate
Certificate Repository
5. TVS Server
validates received
certificate
5
Cisco Unified
Communications
Manager cluster with
TVS servers
1. Request to 1
establish HTTPS
connection
3. Establish TLS
encrypted
communication
4
3
6
BRKCCIE-3242
6. Certificate
validation result is
sent to phone
Cisco Public
81
Security By Default Considerations

New ITL file is only accepted if signed by trusted TFTP server
TFTP RSA key pair is part of disaster recovery system backup
Perform backup after changing TFTP server certificate
ITL file needs to be deleted from phone if RSA keys of existing TFTP server are lost
Server rebuild
Moving phones to another cluster
Etc.
Downgrade to pre-8 procedure:

Set the Prepare Cluster for Rollback to pre 8.0 enterprise parameter to True
Restart TVS, TFTP, and Cisco CallManager services
Perform Downgrade
BRKCCIE-3242
Cisco Public
82

IP Phone VPN Client
IP Phone VPN Client Overview
IP phone acts as full tunneling client (AnyConnect SSL VPN)

Cisco ASA adaptive security appliance or Cisco IOS acts as VPN gateway
Ideal solution for remotes phones that do not have LAN-to-LAN VPN
UDP-based Datagram Transaction Layer
Cisco ASA
Security (DTLS) used for actual phone traffic
SSL VPN: TLS/DTLS
Cisco IP Phones
with VPN Tunnels
Internet
SSL VPN: TLS/DTLS
Cisco ISR
BRKCCIE-3242
Cisco Public
Cisco Unified
Communications
Manager Cluster
84
IP Phone VPN Authentication Options

Authentication
side
Options
Description
Gateway
authentication
Certificate
Phone authenticates gateway

Performed before client
authentication
Client
authentication
Username with
password
Phone certificate
Username with
password and phone
certificate
Gateway authenticates phone

Username authentication can be
offloaded to external database
(RADIUS)
BRKCCIE-3242
Cisco Public
85
VPN Gateway Authentication

Gateway certificates must be installed on the phone:
Regardless of issuing CA, only VPN gateway certificates are uploaded to Unified CM
Thumbprint is then added to IP phone configuration file
Trusted VPN gateways:
relevant VPN
certificates are
added to signed
configuration file
Cisco Unified
Communications
Manager
Public Key of
ISR-VPN
Any-CA
Public Key of
ISR-VPN
BRKCCIE-3242
Any CA
Any CA
VPN certificates are

manually added
Public Key of
ASA-VPN
Cisco Public
86
Certificate-based Phone Authentication

CA of phone certificate(s) are required at VPN gateway:
Cisco Manufacturing CA
CAPF
CAPF
CAPF
CAPF
Public Key of
CAPF
Public Key of
Phone1
Cisco CA
Cisco CA
Any-CA
Public Key of
Phone1
BRKCCIE-3242
CA
certificates
are
manually
added
Public Key of
ASA-VPN
Cisco Public
87
Summary
Summary
Threats to Cisco Unified
Communications
Loss of privacy
Loss of integrity
Impersonation
Denial of service
Cryptography
Symmetric and asymmetric encryption

HMACs
Digital signatures
PKI
BRKCCIE-3242
Cisco Unified Communications

Manager security features
PKI-enabled, certificate-based solution;
CTL in IP phones
Signed and encrypted configuration
files
SRTP and secure signaling
Secure SRST
Security by default
IP phone VPN client
Cisco Public
89
Q&A
Complete Your Online Session Evaluation

Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKCCIE-3242
Cisco Public
91

Brkccie 3242

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Brkccie 3242

Încărcat de

Drepturi de autor:

Formate disponibile

CCIE Voice: Cryptography in Cisco Unified

Andreas Szoldatics, Senior Trainer & Consultant

What Is Covered by This Session?

2013 Cisco and/or its affiliates. All rights reserved.

Threats to Cisco Unified Communications

2013 Cisco and/or its affiliates. All rights reserved.

Threats to Cisco Unified Communications

Examples of Threats Targeting the IP Telephony

2013 Cisco and/or its affiliates. All rights reserved.

Same (shared) key encrypts and decrypts

2013 Cisco and/or its affiliates. All rights reserved.

Symmetric Encryption (Cont)

2013 Cisco and/or its affiliates. All rights reserved.

2013 Cisco and/or its affiliates. All rights reserved.

Asymmetric Encryption (Cont)

2013 Cisco and/or its affiliates. All rights reserved.

Two Ways to Use Asymmetric Encryption

Sender encrypts data with public key of the receiver

Authenticity and Integrity

Sender encrypts data with its own private key

2013 Cisco and/or its affiliates. All rights reserved.

Introduction to Cryptography: Hash-Based

2013 Cisco and/or its affiliates. All rights reserved.

No Integrity Provided by Pure Hashing

2013 Cisco and/or its affiliates. All rights reserved.

Hash-Based Message Authentication Code or

Symmetric Key Nature

Used for bulk data (IPsec packets,

2013 Cisco and/or its affiliates. All rights reserved.

Slower than HMAC

2013 Cisco and/or its affiliates. All rights reserved.

Digital Signatures (Cont)

2013 Cisco and/or its affiliates. All rights reserved.

Key Distribution Issues

Public Keys used by Asymmetric Encryption and

2013 Cisco and/or its affiliates. All rights reserved.

Symmetric Key Distribution Protected by

Symmetric key is generated by one peer

2013 Cisco and/or its affiliates. All rights reserved.

Public Key Distribution in Asymmetric

2013 Cisco and/or its affiliates. All rights reserved.

PKI as a Trusted Third-Party Protocol

2013 Cisco and/or its affiliates. All rights reserved.

PKIGenerating Key Pairs

Every entity, including the trusted introducer, needs to generate

2013 Cisco and/or its affiliates. All rights reserved.

PKIDistribution of the Public Key of the Trusted

2013 Cisco and/or its affiliates. All rights reserved.

PKIRequesting Signed Certificates

2013 Cisco and/or its affiliates. All rights reserved.

Public Key of User A

2013 Cisco and/or its affiliates. All rights reserved.

PKIProviding Entities with Their Certificates

The trusted introducer sends signed certificates to the entities

2013 Cisco and/or its affiliates. All rights reserved.

PKIExchange of Public Keys Between Entities

2013 Cisco and/or its affiliates. All rights reserved.

The trusted introducer signing certificates of PKI entities (PKI users)

Devices, users, or applications that want to safely distribute their

Sometimes entities issue self-signed certificates:

2013 Cisco and/or its affiliates. All rights reserved.

Certificate Serial Number

Signature Algorithm Identifier