Using A Mini-Certificate; Generating A Mini-Certificate - Linksys SPA1001 Administrator User Manual

Administration guide

Hide thumbs Also See for SPA1001:

Specifications (2 pages)

Technical specifications (2 pages)

Provisioning manual (94 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

Table of Contents

Chapter 3

Configuring Linksys ATAs

Using a Mini-Certificate

The Linksys ATA Mini-Certificate (MC) contains the following information:

•

The MC has a 512-bit public key used for establishing secure calls. The administrator must provision

each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The

MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The

1024-bit public key of the CA signing the MC must also be provisioned for each subscriber.

The CA public key is used by the Linksys ATA to verify the MC received from the other end. If the MC

is invalid, the Linksys ATA will not switch to secure mode. The MC and the 1024-bit CA public key are

concatenated and base64 encoded into the single parameter <Mini Certificate>. The 512-bit private key

is base64 encoded into the <SRTP Private Key> parameter, which should be kept secret, like a password.

Because the secure call establishment relies on exchange of information embedded in message bodies of

SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows

the SIP INFO messages to pass through with the message body unmodified.

Generating a Mini-Certificate

Linksys provides a configuration tool called gen_mc for the generation of MC and private keys with the

following syntax:

gen_mc ca-key user-name user-id expire-date

Where:

•

Document Version 3.1

•

Mini-Certificate (252B)

Upon receiving the Caller Hello, the called party responds with a Callee Hello message (base64

encoded and embedded in the message body of a SIP response to the caller's INFO request) with

similar information, if the Caller Hello message is valid. The caller then examines the Callee Hello

and proceeds to the next step if the message is valid.

The caller sends the "Caller Final" message to the called party with the following information:

Message ID (4B)

•

Encrypted Master Key (16B or 128b)

•

Encrypted Master Salt (16B or 128b)

•

The Master Key and Master Salt are encrypted with the public key from the called party

mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to

encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which

is an empty message).

User Name (32B)

User ID or Phone Number (16B)

Expiration Date (12B)

Public Key (512b or 64B)

Signature (1024b or 512B)

ca-key is a text file with the base64 encoded 1024-bit CA private/public key pairs for

signing/verifying the MC, such as the following:

Secure Call Implementation

Linksys ATA Administrator Guide

3-11

Table of Contents

Show Quick Links

Quick Links:
Spa1001
Spa8000

Hide quick links:

Table of Contents

This manual is also suitable for:

Ag310 Pap2t Rtp300 Spa2102 Spa3102 Spa8000 ... Show all

Using A Mini-Certificate; Generating A Mini-Certificate - Linksys SPA1001 Administrator User Manual

Using a Mini-Certificate

Generating a Mini-Certificate

Hide quick links:

Related Manuals for Linksys SPA1001

Related Products for Linksys SPA1001

This manual is also suitable for:

Table of Contents