Siemens V1.2.33 manual Deployment Tool with TLS, Public Key Asymmetric Cryptography, Certificates

Page 83

Deployment Tool with TLS

Deployment Tool with TLS

The following is an attempt to explain briefly how TLS (Transport Layer Se- curity) works and how IP phones use it. In particular, it explains the central role of certificates.

Public Key (Asymmetric) Cryptography

Two parties A and B wish to communicate with each other. Each has its own pair of public and private keys. Each public key only matches its cor- responding private key, and vice versa. Each party keeps their private keys secret, while distributing their public keys to the world at large.

A wishes to send B encrypted information. A encrypts the message with B's public key. B decrypts the message with B's private key. Only B can decrypt the message, since only B has the private key which matches the public key with which the message was encrypted.

A wishes to sign a message sent to B. A signs the message by encrypting a digest of the message with A's private key. B decrypts and checks the signature using A's public key. Since only A has the private key which matches A's public key, the message must have been sent by A.

Certificates

A message can only be verified as being signed by A if the public key used to check the signature is known to belong to A. To this end, public keys are distributed as certificates, which are signed by an issuing Certificate Au- thority (CA). Each certificate contains :-

the subject's distinguished name (DN), e.g. A,

the subject's public key,

the issuer's DN, e.g. C,

the certificate's serial number (unique within all certificates issued by C),

the calendar period during which the certificate is valid,

the signature (a digest of the certificate, encrypted using the issuer's private key).

The public key held by a certificate is known to belong to the certificate's subject if the certificate's signature can be checked using the issuer's pub- lic key. The issuer's public key is obtained from the issuer's own certifi- cate, which in turn has been issued by another CA, e.g. D. A certificate chain forms (A -> C -> D -> etc), until a CA is reached (e.g. E) who is deemed trustworthy by the user, e.g. B. B has a copy of E's certificate (possibly obtained from E directly), and uses this to validate the certificate chain ACD.

A's certificate is not that of a CA, and is termed an end-entity certificate. A CA certificate may not have a separate issuer – it may be signed with the private key corresponding to the certificate's public key – and is termed a self-signed certificate.

83

Image 83
Contents Administrator Manual Contents Help Functions Configuration TabOptiPoint types Parameters Deployment Tool with TLSIntroduction IntroductionSupported Phones Operating System Screen ResolutionFTP Service RequirementsClick Start Installer for Windows Installing and Running the ProgramInstalling the Program Installing and Running the ProgramDevice List window Listing Connected IP PhonesListing Connected IP Phones Icons in the Operations window For the function Configure selected devicesIcons and Buttons Icons in the DeviceList windowCTRL+A or Creating a Device ListHiding List Columns Specifying the Number of ScansStarting a Scan Column ContentsEditing a Device List Moving List Columns164 AddressStatus MAC addressDevice type Resetting the Scan ResultStopping a Scan Saving a Deployment File Deleting an Entry from the Device ListSelecting a Device Group CTRL+O or Loading the Deployment FilePreparation ConfigurationConfiguration ConfigurationFile Transfer tab Starting ConfigurationDialogs for optiPoint telephones Editing a Configuration Transfer file Saving settingsCTRL+S or Minutes for optiPoint 300 advance Transferring a ConfigurationAdministrator password Minutes forVerification Starting transferStopping transfer Log fileCtrl+B Saving and Loading Device GroupsSaving Device Groups Loading Device Groups Configuration OptiPoint 400 standard HFA OptiPoint typesOptiPoint 400 standard H450 OptiPoint 400 economy HFADevice type 400 standard SIP OptiPoint 400 standard SIPOptiPoint types Device type 400standardSIP Device type 410standardHFA, 410advanceHFA OptiPoint 410 entry HFA, 410 economy HFAOptiPoint 410 standard HFA, 410 advance HFA Device type 410entryHFA, 410economyHFADevice type 600officeUP0/E OptiPoint 600 office HFAOptiPoint 600 officeUP0/E Device type 600officeHFADevice type 600officeSIP OptiPoint 600 office SIPHelp Functions Help FunctionsChecking the Status Following status messages may appear Status MessagesLog File Contacts Configuration TabAlert Indications Audio/Visual IndicationsDial Plan 400 standard SIP V2.4, 600 office SIP Country & LanguageDialling Codes Dial PlanFile Transfer 400 standard H450, 400 standard SIP 2.x/SIP File TransferFile Transfer 410 standard HFA, 410 advance HFA Instant Messaging Http SettingsParameter Setting Key 1 to 10 or Function KeysIP Routing 400 standard H450 IP RoutingDefault gateway Route Gateway Mask DNS server address Kerberos 400 standard SIP KerberosKeyset Operations 400 standard SIP V2.4, 600 office SIP Messaging ServicesKeyset Operations Key & Lamp Module 1/2Miscellaneous 410 standard HFA, 410 advance HFA PasswordsPasswords 600 office HFA, 600 office UP0/E, 600 office SIP MiscellaneousPresence 400 standard SIP Personal DirectoryPresence Security 400 standard SIP V2.4/SIP V3.0, 600 office SIP Quality of ServiceQuality of Service 600 office UP0/E SecuritySelectedDialing SIP Feature ConfigurationSpeech parameters Parameter Setting PBX/Gateway Address Telephony ConfigurationTelephony Configuration 400 standard H450 Telephony Configuration 400 standard HFA, 400 economy HFATelephony Configuration 600 office HFA, 600 office UP0/E WAP TimeDescription ParametersArea code Audio ModeBeep On SIP Server Error Cancel mobility passwordConnection type Config filename prefixCodec Compression CodecDhcp Emergency number External access codeFTP password DSM application filenameGatekeeper discovery address H450 featuresFTP username Gatekeeper addressJava midlet filename IM Session TimerImport personal directory International dial prefixLAN/PC port mode Layer 2 Voice/SignalingLayer 3 Voice/Signaling Layer 2 DefaultLdap template name Line Key action modeLayer 2 Priority Ldap Server AddrMask New Domain PasswordOperating mode Loge filenamePort Number Proximity TimerPBX/Gateway Address Permit Decline CallRealm Registration TimerPstn acces code QoS L2/L3Route Ring No Reply TimerRing Seen Timer Rollover typeServer type Session TimerSecurity profile Security window secondsSIP Routing Model Snmp PasswordSIP Registrar Address SIP Registrar PortSntp Server IP Address Subscriber PasswordSnmp Trap IP Address Snmp Trap PortTime System typeTag Terminating line preferenceTrusted Certificates File Management Unused TimerUser Change Password Vlan Method User passwordWAP Mode Vlan IdDNS Default RouteAbbreviations and Technical Terms Dial PlanFTP EpidKDC HFAHttp LED LANLdap LCDMIB PasswordMAC MCURAM PBXPing PstnSntp ROMSIP SnmpVlan UDPURI URLWSP VoIPWAP Administration Scenarios Administration ScenariosConfiguring an FTP Server Installation and ConfigurationAdministration Scenarios Deployment Tool with TLS Deployment Tool with TLSPublic Key Asymmetric Cryptography CertificatesCertificate File Formats TLSOperating the XML Management Interface over TLS Use of TLS by an IP PhoneConfiguring the Deployment Tool for TLS TLS Handshake Failure Installing the Deployment ToolTransferring Certificates to Phones Selecting a File for Transfer Transferring a Server Key Material File Transferring a Client Trusted Certificates File Ref. No. A31003-A2056-A105-63-76A9