[VOIPSEC] Cisco 7960 (Skinny) with Asterisk

Ken Peterson ken.peterson at packetbrain.com
Tue May 2 09:11:02 CDT 2006 

All good information Louis. However, CallManager 4.1 supports media
path encryption on the 7960 also.

As far as the encryption is concerned, Mohammad... the SRTP is
encrypted with AES-128 as you expected (and authenticated using
SHA-1).

The "shared secret" key for the media stream is sent from CM to
the Skinny endpoints via an additional "proprietary" field in the
Skinny protocol messages.

You can analyze packets for messages that are exchanged between
Cisco CallManager and the device (phone or Cisco IOS MGCP gateway)

Here is a link that shows you how:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration
_guide_chapter09186a00803fe696.html#wp1056508


If I have a minute later today, I will capture them and let you
know what I can see.

		Cheers,
		  Ken Peterson



-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
Behalf Of Louis R. Marascio
Sent: Tuesday, May 02, 2006 9:38 AM
To: Mohammad Halawah; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Cisco 7960 (Skinny) with Asterisk


Mohammad,

I should point out that the Cisco 7960 does not support media path
encryption, only authentication.  You need to obtain a Cisco 7970, 7971,
7961, or 7941 if you want to do SRTP.  There is a Cisco document on the
web that explains this in more detail but I can not find the link at the
moment.

When a Cisco IP phone is running in encrypted mode it will do a few
things differently:

1. When it initiates the TFTP operation on initial boot it will attempt
to retrieve a Certificate Trust List.  This CTL file contains a list of
trusted peers, their roles, and related certificates.  This file is
signed using an Aladdin eToken that has been purchased from Cisco.  On
this eToken is a Public/Private key pair that is rooted in and signed by
the Cisco Certificate Authority.  The phone will not trust a CTL file
that is not signed or one that is signed by a private key not rooted in
the Cisco CA.

2. Once the phone downloads and validates the CTL file, it will then
attempt to retrieve signed configuration files.  These signed
configuration files are identical to those that would normally be
fetched from the TFTP server except they are signed as well.  These
files are signed using a self-signed key pair generated during the CCM
install.  The phone trusts this self-signed key pair because it is
included in the CTL file mentioned above.  These configuration files
contain, among other things, the list of Cisco CallManager subscribers
that the phone should connect to.

3. If the phone is able to retrieve valid CTL and configuration files it
will initiate a TLS connection to the subscriber(s) listed in the signed
configuration file.  This TLS connection is used to transport the SCCP
protocol and is typically initiated on port 2443 to the CallManager;
however, this is configurable

4. Given that the phone is capable of establishing the secure signaling
path via TLS, CallManager will consider the phone "encrypted".  This
means, when calls are being setup, CCM will include optional parameters
in the StartMediaTransmission and OpenReceiveChannel messages.  These
parameters are the required key, salt, and algorithm for transmitting
and receiving secure media.  In Cisco's world, the algorithm is AES-128.
As you would expect, CallManager will only negotiate encrypted media if
both endpoints are encrypted.

There are other layers to this security onion that you may have to
investigate.  For example, there is a role in Cisco's security scheme
for a node known as the "Certificate Authority Proxy Function".  Cisco
has some fairly detailed information in their documentation about their
overall security architecture that may shed some additional light on the
subject.

I hope this note helps in your thesis work.

Best regards,

Louis

---
Louis R. Marascio
Metreos Corporation
t: +1 (512) 687 2005
m: +1 (512) 964 4569
e: marascio at metreos.com


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Mohammad Halawah
Sent: Monday, May 01, 2006 8:35 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Cisco 7960 (Skinny) with Asterisk

Hi every one,

I am writing my master thesis regarding SRTP interoperability. I would
like to know how the keys are exchanged (protocol, key-length*)
between CCM (Cisco callmanager) and Cisco7960 (SCCP v.8 firmware ) to
establish SRTP-ed call. Then to mimic this with Asterisk.

The only information I managed to get from Cisco web-site is:
"Key Manager in CCM derives symmetric "shared secret" (SS)
keys used by phones for encryption".

In case this keys are distributed through protected (TLS/VPN**)
Sdescriptions, then the mession is easy.

Best regards,
Mohammad
* most likely it's 128-bit (as it was in 2004)
** most likely TLS.

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list