This utility generates 8-bytes of salt (which is prepended to the encrypted configuration file), and then
calculates an Initialization Vector (IV) and an 256-bit encryption key using the key phrase provided on
the command line. The TA recognizes the leading characters "Salted__" as a hint to find the salt and
decrypt the configuration file.
Linksys XML configuration files can be compressed using the gzip compression algorithm. Gzip is
available from http://www.gzip.org .
gzip cleartextconfig.xml
If both compression and encryption are used, the clear text version must be compressed before it is
encrypted. The PHONE ADAPTER does not recognize files which are encrypted and then
compressed since encrypted files are uncompressible. The Linksys PHONE ADAPTER automatically
detects if a file is compressed or encrypted.
3.2. Secure Initial Configuration
Linksys recommends a secure configuration system to providers to protect them from theft of service,
account forgery, and denial of service. To that end, Linksys Terminal Adapters are provisioned at the
factory with a public key certificate signed by the Linksys certificate authority.
The first step in this process is for the Linksys terminal adapters to use HTTPS to initially contact the
configuration server specified in the Profile_Rule. The initial URL can be configured into the TA at
manufacturing time for order over a certain size, it can be added during a staging process, or it can
be provided via the web interface as described in the next section. The PHONE ADAPTER opens a
TCP connection to the initial configuration server, and sends an SSLv2 ClientHello message. The
configuration server then presents a server certificate signed by Linksys in a ServerHello message,
and requests the certificate of the client. The Terminal Adapter validates the server certificate and
provides its client certificate. From the client certificate, the provider is assured of the authenticity of
the MAC address, serial number, and model number of the Linksys device which has connected. The
terminal adapter will then use an HTTP GET over this TLS secure channel to fetch its initial
configuration.
An Apache web server can be setup to perform all the certificate verification automatically as
configuration directives. An example configuration is listed below:
<Directory /linksys/secure-setup/>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLCertificateFile provider-cert-signed-by-linksys.pem
SSLCertificateKeyFile provider-private-key.pem
SSLCertificateChainFile linksys-cert.pem
SSLCACertificateFile linksys-cert.pem
SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" \
and %{SSL_CLIENT_I_DN_O} eq "Linksys" \
and %{SSL_CLIENT_S_DN_O} eq "Linksys" \
and %{SSL_CLIENT_S_DN_CN} eq %{REQUEST_FILENAME}
</Directory>
© 2004 Linksys Proprietary (See Copyright Notice on Page 2)
25