Linksys SPA922, SPA962 How Https Works, Server Certificates, Client Certificates, Using Https

Page 67

Provisioning Basics

Using HTTPS

How HTTPS Works

HTTPS encrypts the communication between the client and the server, protecting the message contents from other intervening network devices. The encryption method for the body of the communication between client and server is based on symmetric key cryptography. With symmetric key cryptography, a single secret key is shared by the client and the server over a secure channel protected by Public/Private key encryption.

Messages encrypted by the secret key can only be decrypted using the same key. HTTPS supports a wide range of symmetric encryption algorithms. The SPA9x2 implements up to 256- bit symmetric encryption, using the American Encryption Standard (AES), in addition to 128-bit RC4.

HTTPS also provides for the authentication of the server and the client engaged in a secure transaction. This feature ensures that the provisioning server and an individual client cannot be spoofed by other devices on the network. This is an essential capability in the context of remote endpoint provisioning.Server and client authentication is performed using public/private key encryption, using certificates containing the public key. Text encrypted with a public key can be decrypted only by its corresponding private key (and vice versa). The SPA9x2 supports the Rivest, Shamir, and Adelman (RSA) algorithm for public/private key cryptography.

Certificates are authenticated in the context of a certificate chain. A certificate authority lies at the root of the chain, with all other certificates depending on the root authority for authority.

Server Certificates

Each secure provisioning server is issued an secure sockets layer (SSL) server certificate, directly signed by Linksys. The firmware running on the SPA9x2 clients recognizes only these certificates as valid. The clients try to authenticate the server certificate when connecting via HTTPS, and reject any server certificate not signed by Linksys.

This mechanism protects the service provider from unauthorized access to the SPA9x2 endpoint, or any attempt to spoof the provisioning server. This might allow the attacker to reprovision the SPA9x2, to gain configuration information, or to use a different VoIP service. Without the private key corresponding to a valid server certificate, the attacker is unable to establish communication with a Linksys SPA9x2.

Client Certificates

In addition to a direct attack on the SPA, an attacker might attempt to contact a provisioning server using a standard web browser, or other HTTPS client, to obtain the SPA9x2 configuration profile from the provisioning server. To prevent this kind of attack, each SPA9x2 also carries a unique client certificate, also signed by Linksys, including identifying information about each individual endpoint. A certificate authority root certificate capable of authenticating the device client certificate is given to each service provider. This authentication path allows the provisioning server to reject unauthorized requests for configuration profiles.

Firmware Upgrade Parameters

The following table defines the function and usage of each parameter in the Firmware Upgrade section of the Provisioning tab.

Linksys SPA9x2 Phone Administration Guide

60

Page 66 Page 68
Image 67
Page 66 Page 68
Contents Linksys SPA9x2 Phone Administration Guide Table of Contents Provisioning Capabilities Setting System FeaturesSetting Regional Parameters Customizing SPA9x2 Extensions SPA9x2 Phone Field Reference 123 LED Script 181 LED Pattern 182 Appendix B Configuring a Dial Plan 183Read Me First Introducing Linksys SPA9x2 PhonesRead Me First Related Documentation Getting Started Basic Phone FeaturesGetting Started Additional Phone Features Additional Phone FeaturesSPS932 Sidecar Attendant for the SPA962 Features Requring SIP Support SPA9x2 Phone Configuration Scenarios SPA9x2 Phone Configuration ScenariosSPA9000 IP PBX System SPA9000 IP PBX SystemSPA400 SIP Over TCP Session Initiation Protocol and SPA9x2 PhonesSession Initiation Protocol and SPA9x2 Phones Using SPA9x2 Phones with a Firewall or Router Using SPA9x2 Phones with a Firewall or RouterSIP Proxy Redundancy Network Address Translation and SPA9x2 Phones Network Address Translation and SPA9x2 PhonesSession Border Controllers Routers and Service Provider Support of NATSIP-NAT Interoperation Simple Traversal of UDP Through NATs StunSimple Traversal of UDP Through NATs Stun Using SPA9x2 Phones in a Vlan Using SPA9x2 Phones in a VlanDetermining the Type of NAT Used on Your Router Introducing Linksys SPA9x2 Phones Read this chapter to learn about Getting StartedDetermining SPA9x2 Firmware Version Determining SPA9x2 Firmware VersionUpgrading SPA9x2 Firmware Downloading the FirmwareDownloading the Firmware Using the Phone Display and Buttons Using the Phone Display and ButtonsSee Appendix a Creating an LED Script Using the Web User Interface Using the LCD ScreenUsing the Web User Interface Administrator and User ViewsAdministrator Privileges System Using the Personal DirectoryUsing the Personal Directory Basic and Advanced ViewsViewing Call History Web Admin TabsViewing Call History Caller and Called Name MatchingRoadmap to Web UI Features Roadmap to Web UI FeaturesSee , Setting Regional Obtaining Phone Information Info Tab Obtaining Phone Information Info TabProduct Information Notes System and Product InformationSystem and Product Information Phone Status Information Phone Status InformationUnderstanding Lines, Calls, and Shared Call Appearances Phone Status NotesShared Line or Call Appearances Understanding ExtensionsUnderstanding Lines, Calls, and Shared Call Appearances Line Key LEDs Extension Status InformationExtension Status Information Line and Call Status Information Line and Call Status InformationExtension Status Notes Line and Call Status NotesDownloaded Ring Tones Downloaded Ring TonesWhat’s Next? Ring Tone NotesWhat’s Next? SIP Initial Invite and MWI Challenge Setting System FeaturesSetting Security Features Setting Security FeaturesSrtp and Securing Calls Supported Codecs Ensuring Voice QualityEnsuring Voice Quality Bandwidth Requirements Factors Affecting Voice Quality Setting System Features Setting System FeaturesSee the following sections System Configuration Notes Setting System Configuration InformationSetting System Configuration Information Dhcp and PPPoE Notes Setting Internet, IP and PPPoE InformationSetting a Static IP Address on the IP Phone Setting Internet, IP and PPPoE InformationHostName Enter the host name of the SPA9x2 phone Setting Optional Network ParametersOptional Network Configuration Notes Setting Optional Network ParametersVlan Settings Notes Configuring Vlan SettingsConfiguring Vlan Settings SIP Parameters Setting SIP ParametersSIP Parameters Following table describes all SIP parameters SIP Parameter NotesSee , Using the SPA932 Sidecar SIP Timer Notes SIP Timer ValuesSIP Timer Values SIP T4 Response Status Code Handling Response Status Code HandlingRTP Parameters RTP ParametersResponse Status Notes RTP NotesSDP Payload Parameters Defaults to blankSDP Payload Types NAT Support ParametersLinksys Key System Parameters Linksys Key System ParametersNAT Support Parameter Notes Linksys Key System NotesProvisioning Capabilities Service provider documentationProvisioning Basics Provisioning CapabilitiesFlat-profile AdminPasswdsome secret/AdminPasswd SPA9x2 Configuration ProfilesProvisioning Configuration from Phone Keypad SPA9x2 Configuration ProfilesUpgrading, Resyncing, and Rebooting Phones Upgrading, Resyncing, and Rebooting PhonesUpgrading Firmware on a Phone Resyncing a Phone Rebooting a PhoneRetail Provisioning Redundant Provisioning ServersRedundant Provisioning Servers Automatic In-House Preprovisioning Configuration Access ControlUsing Https Automatic In-House PreprovisioningServer Certificates Firmware Upgrade ParametersUsing Https How Https WorksCounts down to zero General Purpose Parameters Sample Configuration FileSample Configuration File Following is a sample configuration fileSetting Regional Parameters Example 1 Normal Ring Setting Regional Parameters Example 3 SIT Tone Call Progress Tones Notes Call Progress TonesCall Progress Tones Ring Pattern Notes Control Timer Values secControl Timer Value Notes Distinctive Ring PatternsVertical Service Activation Codes Star Codes Vertical Service Activation Codes Star CodesVertical Service Activation Code Notes Setting Regional Parameters Using Star Codes to Activate/Deactivate Services Disabling/Deactivating Services Vertical Service Announcement CodesVertical Service Announcement Codes Vertical Service Announcement Notes SAmap syntax SAserv=SAextcode Miscellaneous Parameters Miscellaneous ParametersOutbound Call Codec Selection Codes Outbound Call Codec Selection NotesDtmf Notes Managing the Time and Date Localizing Your SPA9x2 PhoneLocalizing Your SPA9x2 Phone Configuring Daylight Savings Time Selecting a Language Selecting a LanguageCreating a Dictionary Server Script For example DictionaryServerScript ua=na General Phone Information Customizing SPA9x2 PhonesGeneral Phone Information General Phone NotesBackground SPA942/962 section on Changing the Display Background SPA942/962 Using the Photo Album Feature on the SPA962Line Key Information Configuring Shared Line Extension on SPA9x2 PhonesLine Key Information Line Key NotesLine Key LED Pattern Notes Miscellaneous Line Key Settings NotesParameters Description Abbreviations are spelled out in the following table Supplementary Services ParametersSupplementary Services Notes Supplementary Services ParametersVoice conversation is encrypted so that others cannot Using Call Parking Using Group PagingUsing Call Pick Up and Group Call Pick Up Ring Tone Parameters Ring Tone ParametersManaging Ring Tones Extension Mobility Notes Audio Input Gain dB and Extension Mobility SettingsUsing Extension Mobility Audio Input Gain dB and Extension Mobility SettingsGeneral Parameter Notes General, Shared Line Appearance, and NAT SettingsGeneral, Shared Line Appearance, and NAT Settings Customizing SPA9x2 ExtensionsNAT Settings Notes Network Settings and SIP Settings Network Settings and SIP SettingsNetwork Settings Notes SIP Settings NotesSelect no Call Feature Notes Call Feature SettingsCall Feature Settings Proxy and Registration Parameters Proxy and Registration ParametersConfiguring a SIP Proxy Server Configuring a SIP Proxy ServerEnter your service provider name in the Proxy field Subscriber Information Parameters Audio Configuration ParametersSubscriber Information Parameters Subscriber Information NotesAudio Configuration Parameters Audio Configuration Notes Dial Plan Parameters Dial Plan ParametersThis table describes all Dial Plan parameters Dial Plan NotesHandling Speed Dial Notes Customizing UsersCall Forward and Speed Dial Parameters Call Forward NotesSupplementary Services Supplementary ServicesYou can also configure web services on the web UI Setting RSS Newsfeeds on the SPA962 PhoneWeb Information Service Settings SPA962 Only Setting RSS Newsfeeds on the SPA962 PhoneAudio Volume Notes Audio Volume SettingsWeb Information Service Notes Traffic Information SettingsPhone GUI Color Settings SPA962 Only Phone GUI Color Settings SPA962 OnlyPhone LCD Notes Using the SPA932 Sidecar Setting Up the SPA932 Sidecar Setting Up the SPA932 SidecarFollowing table describes SPA932 LED colors Configuring the Broadsoft Server for the SPA932 Configuring the SPA9000 for the SPA932Home Configuring the Asterisk Server for the SPA932Configuring the SPA932 Unit/Key Configuration Scripts SPA9000 Syntax Asterisk syntax SPA932 Parameter NotesSPA932 Unit Monitoring Notes Monitoring the SPA932Monitoring the SPA932 Line Station Subscribe Info Tab SPA9x2 Phone Field ReferenceInfo Tab System InformationPhone Status Product InformationPackets Ext StatusElapsed Time Example, 25 daysLine /Call Status System Tab System ConfigurationSystem Tab Downloaded Ring TonePPPoE Settings Internet Connection Type and Static IP SettingsOptional Network Configuration SIP Tab Vlan SettingsSIP Tab SIP ParametersDefaults to no Defaults to $VERSIONThere is no default this indicates SPA9x2 does not Defaults to application/dtmf-relaySetting Call-ID for registration after the next software reboot. IfID for registration after the next software reboot. Registration after a power-cycle, regardless of thisSIP Timer Values sec Response Status Code Handling RTP Parameters SIT2 Tone Defaults to blankSIT3 Tone Defaults to blank Limit on Icmp errors Defaults toSend out compound Rtcp packet on the connection Call Round Trip Delay value ms in the InfoMs,LA=delay in ms,DU=call duration Rtcp Tx IntervalRTP-Start-Loopback Dynamic Payload SDP Payload TypesRTP-Start-Loopback Codec Linksys SPA9x2 Phone Administration Guide 138 VIA sent-by port. Select yes or no from the drop NAT Support ParametersInsert VIA received Responses if the received-from IP and VIA sent-by IPLinksys Key System Parameters Provisioning Tab Provisioning TabRegional Tab Call Progress TonesRegional Tab Defaults to 350@-1920.1/.1/1,.1/9.7/1 Defaults to 914@-16,1371@-16,1777@-1620.380/0Defaults to 985@-16,1371@-16,1777@-1620.380/0 Cfwd Dial Tone Played when all calls are forwardedCadence Distinctive Ring PatternsVertical Service Activation Codes Control Timer Values secDefaults to *90 Defaults to *66Defaults to *92 Removes caller ID blocking on the next inbound call Defaults to *82Linksys SPA9x2 Phone Administration Guide 148 Referral Services Codes Vertical service codes internally processed by Feature Dial Services CodesOne or more *code can be configured into this Feature allows the proxy to process features like callVertical Service Announcement Codes Defaults to *0172632 Defaults to *0272616Defaults to *0172624 Defaults to *0272624GMT+1300 Defaults to GMT-0800Miscellaneous Four digitsWeekday value equals any value in the range Daylight Saving Time RulePhone Tab Phone TabGeneral Service provider often hosts a voice mail service.Advantages of hosted voicemail include Other words it is private Line KeyLine Key LED Pattern Miscellaneous Line Key SettingsBlank indicates the default value of c=a Default value of c=rp=fLeaving this entry blank indicates the default value Entry blank indicates the default value of c=rIndicates the default value of c=rp=s Supplementary ServicesRegistering LED 4, 5, or Ring ToneAuto Input Gain dB Speakerphone Input Gain Ext TabExtension Mobility Ext TabAre shared or private Shared, regardless the setting of Share CallDefaults to shared Share Line AppearanceNetwork Settings NAT SettingsSIP Settings It responds with the message, unsupported. Enter Referor Bye DelayDelay, enter the appropriate period of time in seconds Refer-To Target Contact Referee Bye DelayLine-Logs the start-line only for all messages Defaults to noneLog. Choices are as follows None-No loggingCall Feature Settings Or User Default RingState Agent Reserved feature Cfwd Notify Serv Sending of a Notify to the phone when a call isProxy and Registration Subscriber Information For establishment of a secure call Audio ConfigurationG726-24 Enable G729a EnableG723 Enable G726-16 EnableDial Plan User TabUser Tab Busy Defaults to voice mailCall Forward Speed DialPhone GUI Menu Color Settings SPA962 only Web Information Service Settings SPA962Traffic Service Information Settings SPA962 Audio VolumeThis tab includes the following sections Light Green Pink Silver Defaults to Light BlueTab SPA962 only Tab SPA962 onlyUnit SPA932 StatusSPA932 Status Sidecar unit LED is off Color is green and pattern is steady on defaultCreating an LED Script Color is red and pattern is slow blinkLED Pattern Allows arbitrary 2-digit star code Configuring a Dial PlanDial Plan Rules Dial Plan Examples Dial Plan Timers Dial Plans Support ContactsUS/Canada Contacts EU Contacts8060952NC-EW
Related manuals
Manual 29 pages 18.81 Kb Manual 5 pages 63.33 Kb Manual 5 pages 5.17 Kb
Top Page Image Contents