Cisco Systems SPA3102, SPA2102, WRP400, SPA8000, PAP2T manual Using a Mini-Certificate

STEP 2 The caller sends the “Caller Final” message to the called party with the following information:

Using a Mini-Certificate

The Master Key and Master Salt are encrypted with the public key from the called party mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which is an empty message).

The Mini-Certificate (MC) contains the following information:

The MC has a 512-bit public key used for establishing secure calls. The administrator must provision each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The 1024-bit public key of the CA signing the MC must also be provisioned for each subscriber.

The CA public key is used to verify the MC received from the other end. If the MC is invalid, the call will not switch to secure mode. The MC and the 1024-bit CA public key are concatenated and base64 encoded into the single parameter Mini Certificate. The 512-bit private key is base64 encoded into the SRTP Private Key parameter, which should be kept secret, like a password. (Mini Certificate and SRTP Private Key are configured in the Line tabs.)

Because the secure call establishment relies on exchange of information embedded in message bodies of SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows the SIP INFO messages to pass through with the message body unmodified.