Siemens V1.2.33 manual Tls, Certificate File Formats

Page 84

Deployment Tool with TLS

TLS

TLS (Transport Layer Security) allows the encryption of existing protocols over TCP, and allows the two parties of a connection to validate each oth- er's identity. For efficiency, symmetric ciphers are used to encrypt the data sent, each party using the same key to encrypt and decrypt data. The TLS handshake, performed at the start of each TLS connection, uses public key cryptography to create the symmetric cipher key shared by both parties, and to allow both parties to validate each other's identity.

The TLS client opens a TCP connection to the TLS server, and initiates the handshake by sending a Client Hello message. The server replies with a Server Hello message, containing the server's public key certificate in a certificate chain. The client authenticates the chain using its own copy of a certificate of a trusted CA, and sends a Client Key Exchange message, containing the symmetric cipher key encrypted with the server's public key. The server decrypts the cipher key, using its own private key, and re- plies with a Finished message, encrypted with the symmetric cipher. The client completes the handshake by returning a cipher-encrypted Finished message.

Hence, a TLS server requires key material (a public key certificate (at the end of a chain of CA certificates), and a matching private key), while a TLS client requires a trusted CA certificate, with which to validate the server's certificate chain. If the client does not wish to authenticate the server's identity, it does not require the trusted certificate.

The handshake described above details server authentication by the client. The handshake can be extended to allow the server to authenticate the cli- ent, in addition. For this, the client needs its own key material, while the server needs a trusted certificate with which to authenticate the client's certificate chain. The phone's TLS server does not perform client authen- tication.

Certificate File Formats

Certificates and private keys are encoded in ASN1 to PKCS standards. Us- ing Microsoft Internet Explorer for reference, public key certificates (certif- icate chains and trusted certificates) are imported and exported as binary (.cer) files, base64 (.cer) files and PKCS#7 (.p7b) files. The binary format contains a single ASN1-encoded certificate. The base64 format contains the same binary data, translated into base64-encoding (i.e. translated into ASCII), with "begin certificate" / "end certificate" guards, i.e. PEM format. The base64 format can contain multiple certificates, by concatenating sep- arate base64 files together. The binary PKCS#7 files contain multiple ASN1-encoded certificates, with additional ASN1 encoding.

Key material is imported and exported as binary PKCS#12 (.pfx or .p12) files, containing multiple ASN1-encoded certificates, and ASN1-encoded private keys. PKCS#12 supports password encryption of its contents, which is necessary for securing the private keys.

84

Page 83 Page 85
Image 84
Page 83 Page 85
Contents Administrator Manual Contents Configuration Tab OptiPoint typesHelp Functions Deployment Tool with TLS ParametersIntroduction Supported PhonesIntroduction Screen Resolution FTP ServiceRequirements Operating SystemInstalling and Running the Program Installing the ProgramInstalling and Running the Program Click Start Installer for WindowsListing Connected IP Phones Listing Connected IP PhonesDevice List window For the function Configure selected devices Icons and ButtonsIcons in the DeviceList window Icons in the Operations windowCreating a Device List CTRL+A orSpecifying the Number of Scans Hiding List ColumnsColumn Contents Editing a Device ListMoving List Columns Starting a ScanAddress StatusMAC address 164Resetting the Scan Result Stopping a ScanDevice type Deleting an Entry from the Device List Selecting a Device GroupSaving a Deployment File Loading the Deployment File CTRL+O orConfiguration ConfigurationConfiguration PreparationStarting Configuration File Transfer tabDialogs for optiPoint telephones Editing a Configuration Saving settings CTRL+S orTransfer file Transferring a Configuration Administrator passwordMinutes for Minutes for optiPoint 300 advanceStarting transfer Stopping transferLog file VerificationSaving and Loading Device Groups Saving Device GroupsCtrl+B Loading Device Groups Configuration OptiPoint types OptiPoint 400 standard H450OptiPoint 400 economy HFA OptiPoint 400 standard HFAOptiPoint 400 standard SIP Device type 400 standard SIPOptiPoint types Device type 400standardSIP OptiPoint 410 entry HFA, 410 economy HFA OptiPoint 410 standard HFA, 410 advance HFADevice type 410entryHFA, 410economyHFA Device type 410standardHFA, 410advanceHFAOptiPoint 600 office HFA OptiPoint 600 officeUP0/EDevice type 600officeHFA Device type 600officeUP0/EOptiPoint 600 office SIP Device type 600officeSIPHelp Functions Checking the StatusHelp Functions Status Messages Following status messages may appearLog File Configuration Tab Alert IndicationsAudio/Visual Indications ContactsCountry & Language Dialling CodesDial Plan Dial Plan 400 standard SIP V2.4, 600 office SIPFile Transfer File Transfer 400 standard H450, 400 standard SIP 2.x/SIPFile Transfer 410 standard HFA, 410 advance HFA Http Settings Parameter Setting Key 1 to 10 orFunction Keys Instant MessagingIP Routing IP Routing 400 standard H450Default gateway Route Gateway Mask DNS server address Kerberos Kerberos 400 standard SIPMessaging Services Keyset OperationsKey & Lamp Module 1/2 Keyset Operations 400 standard SIP V2.4, 600 office SIPPasswords Passwords 600 office HFA, 600 office UP0/E, 600 office SIPMiscellaneous Miscellaneous 410 standard HFA, 410 advance HFAPersonal Directory PresencePresence 400 standard SIP Quality of Service Quality of Service 600 office UP0/ESecurity Security 400 standard SIP V2.4/SIP V3.0, 600 office SIPSIP Feature Configuration SelectedDialingSpeech parameters Telephony Configuration Telephony Configuration 400 standard H450Telephony Configuration 400 standard HFA, 400 economy HFA Parameter Setting PBX/Gateway AddressTelephony Configuration 600 office HFA, 600 office UP0/E Time WAPParameters DescriptionAudio Mode Beep On SIP Server ErrorCancel mobility password Area codeConfig filename prefix CodecCompression Codec Connection typeDhcp External access code FTP passwordDSM application filename Emergency numberH450 features FTP usernameGatekeeper address Gatekeeper discovery addressIM Session Timer Import personal directoryInternational dial prefix Java midlet filenameLayer 2 Voice/Signaling Layer 3 Voice/SignalingLayer 2 Default LAN/PC port modeLine Key action mode Layer 2 PriorityLdap Server Addr Ldap template nameNew Domain Password Operating modeLoge filename MaskProximity Timer PBX/Gateway AddressPermit Decline Call Port NumberRegistration Timer Pstn acces codeQoS L2/L3 RealmRing No Reply Timer Ring Seen TimerRollover type RouteSession Timer Security profileSecurity window seconds Server typeSnmp Password SIP Registrar AddressSIP Registrar Port SIP Routing ModelSubscriber Password Snmp Trap IP AddressSnmp Trap Port Sntp Server IP AddressSystem type TagTerminating line preference TimeUnused Timer User Change PasswordTrusted Certificates File Management User password WAP ModeVlan Id Vlan MethodDefault Route Abbreviations and Technical TermsDial Plan DNSEpid FTPHFA HttpKDC LAN LdapLCD LEDPassword MACMCU MIBPBX PingPstn RAMROM SIPSnmp SntpUDP URIURL VlanVoIP WAPWSP Administration Scenarios Configuring an FTP ServerInstallation and Configuration Administration ScenariosAdministration Scenarios Deployment Tool with TLS Public Key Asymmetric CryptographyCertificates Deployment Tool with TLSTLS Certificate File FormatsUse of TLS by an IP Phone Operating the XML Management Interface over TLSConfiguring the Deployment Tool for TLS Installing the Deployment Tool TLS Handshake FailureTransferring Certificates to Phones Selecting a File for Transfer Transferring a Server Key Material File Transferring a Client Trusted Certificates File Ref. No. A31003-A2056-A105-63-76A9
Top Page Image Contents