Administrator’s Guide SoundPoint IP / SoundStation IP

 

A key is generated by the utility and must be downloaded to the phone so that

 

it can decrypt the files that were encrypted on the server. The

 

device.sec.configEncryption.key configuration file parameter is used to

 

set the key on the phone. The utility generates a random key and the

 

encryption is Advanced Encryption Standard (AES) 128 in Cipher Block

 

Chaining (CBC) mode. An example key would look like this:

 

Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;

 

If the phone doesn't have a key, it must be downloaded to the phone in plain

 

text (a potential security hole if not using HTTPS). If the phone already has a

 

key, a new key can be downloaded to the phone encrypted using the old key

 

(refer to Changing the Key on the Phone on page C-5). At a later date, new

 

phones from the factory will have a key pre-loaded in them. This key will be

 

changed at regular intervals to enhance security

 

It is recommended that all keys have unique descriptive strings in order to

 

allow simple identification of which key was used to encrypt a file. This makes

 

boot server management easier.

 

After encrypting a configuration file, it is useful to rename the file to avoid

 

confusing it with the original version, for example rename sip.cfg to sip.enc.

 

However, the directory and override filenames cannot be changed in this

 

manner.

 

You can check whether an encrypted file is the same as an unencrypted file by:

 

1. Run the configFileEncrypt utility on the unencrypted file with the "-d"

 

option. This shows the "digest" field.

 

2. Look at the encrypted file using WordPad and check the first line that

 

shows a "Digest=…." field. If the two fields are the same, then the

 

encrypted and unencrypted file are the same.

Note

 

If a phone downloads an encrypted file that it cannot decrypt, the action is logged,

 

an error message displays, and the phone reboots. The phone will continue to do

 

this until the boot server provides an encrypted file that can be read, an

 

unencrypted file, or the file is removed from the master configuration file list.

Note

 

 

The SoundPoint IP 300 and 500 phones will always fail at decrypting files. These

 

phones will recognize that a file is encrypted, but cannot decrypt it and will display

 

an error. This information is logged. Encrypted configuration files can only be

 

decrypted on the SoundPoint IP 301, 320, 330, 430, 501,550, 600, 601, and 650

 

and the SoundStation IP 4000 phones.

 

The master configuration file cannot be encrypted on the boot server. This file is

 

downloaded by the bootROM that does not recognize encrypted files. For more

 

information, refer to Master Configuration Files on page 2-5.

 

 

C - 4

Page 228
Image 228
Polycom SIP 2.2.2 manual It can decrypt the files that were encrypted on the server, Boot server management easier, Manner