© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Threats Targeting the IP Telephony System Loss of privacybecause of sniffed calls Loss of integritybecause of intercepted and altered calls Impersonationbecause of identity spoofing Loss of functionality from DoS attacks: –Against IP telephony components (such as tampering with IP phone images or IP phone configuration files) –Against the underlying infrastructure

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Examples of Threats Targeting the IP Telephony System Here is the financial info. Loss of PrivacyLoss of Integrity ImpersonationDoS CustomerBank Deposit $1000 Deposit $100 I am Bob, send me phone calls. I am the PSTN, send me calls. Where is my dial tone?

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v How a Cisco IP Telephony Network Protects Against Threats Secure signaling for Cisco IP phones: –Provides authentication of devices and signaling messages –Provides encryption of messages –Stops all kind of signaling attacks Secure media transfer: –Provides authentication and encryption of media transfer –Stops capturing of IP phone conversations Secure Cisco IP phone images: –Provides authentication of IP phone images –Stops modification attacks Secure Cisco IP phone configuration files: –Provides authentication and encryption of IP phone configuration files –Stops modification or sniffing attacks

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v How a Cisco IP Telephony Network Protects Against Threats (Cont.) Network layer based security Supported by Cisco Unified CallManager (using preshared keys or certificates) Recommended to be used on network infrastructure device Applicable for any sensitive traffic that is not protected by the application, such as SRTP session key exchange in signaling traffic: –Intercluster trunks –H.323 gateways –MGCP gateways IPsec provides universal protection for IP packets.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v How a Cisco IP Telephony Network Protects Against Threats (Cont.) Digest authentication provides some level of authentication in SIP environments (trunks, phones) where TLS is not supported. It provides authentication only, using an MD5 hash of the username and password. TLS uses X.509 mutual certificate-based authentication. If both are supported, use TLS. On supported phones, enable encrypted configuration files.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure Signaling Provides authentication and authorization of devices (IP phone and Cisco Unified CallManager) Provides authentication and encryption of signaling messages exchanged between the devices Is a prerequisite for secure media transfer because of media key exchange inside Skinny or SIP messages Uses TLS Based on Cisco IP telephony PKI solution

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure Signaling Using TLS Skinny or SIP messages sent inside a protected TLS session Transport-layer protection Similar to SSL used for web server access TLS SCCP or SIP

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure Media Transfer Provides confidentialitysniffed packets cannot be interpreted (conversation cannot be played back) Provides integrity and authenticityconversation cannot be altered during transit (modified, injected, or removed packets are detected) Requires encrypted signaling Uses Secure RTP (SRTP) Based on Cisco IP telephony PKI solution

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure Media Transfer Using SRTP RTP packets sent encrypted Standards-baseduses RFC 3711 (Secure RTP) Application-layer (inside-payload) protection; protocol headers stay the same SCCP or SIP SRTP TLS

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication of IP Phone Images Totally independent from the Cisco IP telephony PKI solution Supported on all IP phones Images signed by Cisco manufacturing (using a private key) Cisco CallManager Release 3.3(3) and later IP phone images: contain the corresponding public key Allows new images to be verified without any additional configuration Also checks image device type (prevents loading the incorrect image to an IP phone model)

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Image Verification The administrator installs a new Cisco-signed IP phone image on the TFTP server. The IP phone verifies the signature using the corresponding public key already embedded in the existing IP phone image. Public Key of Cisco Image.bin.sgn Config1.xml.sgn Config2.xml.sgn Config3.xml.sgn CTL TFTP Server Binary Executable File Cisco IP Phone Image Signature Image.bin.sgn TFTP

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v TFTP Authentication of IP Phone Configuration Files Configuration files signed by the TFTP server Phone verifies signature before applying configuration Uses Cisco IP telephony PKI solution Stops tampering with configuration files on the TFTP server or in transit Public Key of TFTP Image.bin.sgn Config1.xml.sgn Config2.xml.sgn Config3.xml.sgn CTL TFTP Server XML Configuration File Signature of TFTP Server Config2.xml.sgn TFTP

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Encryption of IP Phone Configuration Files Configuration file content encrypted Phone decrypts configuration file before applying configuration Can use Cisco IP telephony PKI solution (for safe exchange of symmetric encryption and decryption key) or manually entered key Stops sniffing of configuration files on the TFTP server or in transit Symmetric Key Used for Encryption and Decryption Image.bin.sgn Config1.xml.sgn Config2.xml.sgn Config3.xml.sgn TFTP Server XML Configuration File with Encrypted Content Config2.xml.sgn.eng TFTP

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v PKI Topologies in Cisco IP Telephony Cisco IP telephony PKI is not a single PKI system: Cisco Unified CallManager servers certificates are self-signed. MICs on Cisco Unified IP Phone 7971, 7970, 7961, 7941, 7911 models are signed by Cisco manufacturing CA. LSCs on any supported Cisco IP phone models (including the ones that support MICs) are signed by Cisco Unified CallManager CAPF or by an external CA. External CAs are supported in Cisco Unified CallManager 4.x. Current versions of Cisco Unified CallManager 5 do not support external CAs.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v TFTP CAPFCCM2 CCM1 Cisco IP Telephony Self-Signed Certificate PKI Topologies Each Cisco Unified CallManager has a self-signed certificate. Cisco Unified CallManager TFTP servers also have self-signed certificates. If the CAPF is used (needed for LSC), it also has a self-signed certificate. All of them act as their own PKI root. Private Key of CCM1 Public Key of CCM1 CCM1 Private Key of CCM2 Public Key of CCM2 Public Key of TFTP Public Key of CAPF Private Key of TFTP Public Key of TFTP Private Key of CAPF Public Key of CAPF TFTP CCM2 CAPF

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Private Key of Cisco CA Public Key of Cisco CA Cisco CA Phone Cisco IP Telephony MIC PKI Topology Cisco IP phone models that ship with MICs have a public and a private key pair, a MIC for the phone, and a Cisco manufacturing CA certificate installed. The certificate of the IP phone is signed by the Cisco manufacturing CA. Cisco manufacturing CA is the PKI root for all MICs. Private Key of Phone Public Key of Phone Public Key of Cisco CA Cisco CA Public Key of Cisco CA Issue Certificate During Production

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Cisco IP Telephony LSC PKI Topology LSCs can be used on phones with MICs or on Cisco Unified IP Phone 7940 and 7960 when using SCCP. They use LSCs issued either by the CAPF or by an external CA. The CAPF or external CA is the root for all LSCs. External CAs are currently not supported with Cisco Unified CallManager 5. CAPF CCM1 Enroll CAPF Acting as a CA Enroll Enterprise CA CAPF CCM1 Enroll CAPF Acting as a Proxy

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v TFTPCCM1 Independent, Separated PKI Topologies Several IP telephony PKI topologies: No single root but multiple independent PKI topologies No trust relationship between the different topologies Trusted introducer needed, bringing all topologies togetherCTL Client provides that function Private Key of CCM1 Public Key of CCM1 CCM1 Public Key of TFTP Private Key of TFTP Public Key of TFTP TFTP 7941 Cisco CA Public Key of 7941 CAPF Public Key of 7940 CAPF CA MIC 7940 LSC

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Cisco CA TFTP CTL Client Has a certificate issued by the Cisco CA Obtains certificates of all certificate-issuing instances (PKI roots) Creates a list (CTL) containing all obtained certificates and signs the list Cisco CTL client keys physically stored on a security token Cisco CTL Client Private Key of Cisco CTL Client Public Key of Cisco CTL Client CCM1 Cisco CA Public Key of Cisco CTL Client Signed List of Certificate Issuers Public Key of Cisco CTL Client Cisco CTL Client TFTP Public Key of TFTP CCM1 Public Key of CCM1 CAPF Cisco CA Public Key of Cisco CA PUB Public Key of PUB TFTP Public Key of TFTP CAPF Public Key of CAPF CAPF Public Key of CAPF

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Cisco CACisco CTL Client TFTPPUB Cisco CA CTL Download The CTL is sent to the IP phones over TFTP at boot. The CTL contains all entities that issue certificates. The IP phone now knows which issuers are trusted. Public Key of TFTP Public Key of CCM1 Public Key of Cisco CTL Client TFTP Private Key of Phone Public Key of Phone

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Cisco CTL Client Application Cisco CTL client software is used to create or update the CTL. The CTL is signed by Cisco CTL client keys that are among the administrator security tokens, which are all signed by the Cisco CA. The CTL file must be updated only when new IP telephony servers or new security tokens are added to the system. The CTL also acts as an authorization list specifying which certificates belong to which IP telephony function (such as Cisco Unified CallManager and TFTP). Security Token

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Cisco CTL Client TFTPCCM1 Cisco CA Cisco CTL Client TFTPCCM1 Cisco CA CCM2 CTL Verification on the IP Phone Every time the IP phone receives a new CTL, it is verified: CTL must be signed by one of the authorized security tokens (public key for signature verification is taken from the existing CTL on the IP phone). Security token certificate is verified using the public key of the Cisco manufacturing CA (also taken from the existing CTL on the IP phone). Public Key of TFTP Public Key of CCM1 Public Key of Cisco CTL Client Public Key of TFTP Public Key of CCM1 Public Key of Cisco CTL Client Existing CTL on the Phone New CTL over TFTP Public Key of CCM2 Public Key of Cisco CA

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Initial Deployment Issue How does an IP phone know which security token is trusted without already having the CTL? Problem occurs only at initial deployment, when the IP phone does not yet have a local CTL. Any security token could pretend to be a valid token in this IP telephony system. The problem can be solved by downloading the initial CTL over a trusted network. If the CTL is erased in the IP phone, the same problem occurs.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v PKI Enrollment in Cisco IP Telephony With MICs, enrollment is done by Cisco manufacturing CA: –The IP phone has the private and public RSA keys, a certificate issued by the Cisco manufacturing CA, and the certificate of the Cisco manufacturing CA installed. –No other IP phone PKI provisioning tasks are required. With LSCs, enrollment has to be done by the customer: –The MIC (if available) remains on the IP phone, even when an LSC is used. MICs are supported on the Cisco Unified IP Phone 7971, 7970, 7961, 7941, and 7911, while LSCs are supported on Cisco IP Unified Phone 7940 and 7960 when using SCCP and on all models that support MICs. –If both a MIC and an LSC exist in an IP phone, the LSC has priority.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Private Key of Phone Public Key of Phone CAPF CAPF Acting as a CA Private Key of CAPF Public Key of CAPF Public Key of Phone Enroll Public Key of Phone 1. The phone generates its public and private key pairs. 2. The phone downloads the certificate of the CAPF and establishes a TLS session with the CAPF with it. 3. The phone enrolls with the CAPF, sending its identity, its public key, and an optional authentication string. 4. The CAPF issues a certificate for the phone signed with its private key. 5. The CAPF sends the signed certificate to the phone. CAPF CCM1 1 CAPF Public Key of CAPF

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v CAPF CA CAPF Acting as a Proxy to an External CA Private Key of CA Public Key of CA Private Key of Phone Public Key of Phone Public Key of CA Public Key of CAPF Public Key of Phone Enroll Enterprise CA Public Key of Phone 1. The phone generates its public and private key pairs. 2. The phone downloads the certificate of the CAPF and establishes a TLS session with the CAPF with it. 3. The phone sends an enrollment request to the CAPF, including its identity, its public key, and an optional authentication string. 4. The CAPF forwards the request to the external CA. 5. The external CA issues a certificate for the phone signed with its private key. 6. The external CA sends the signed phone certificate to the CAPF. 7. The CAPF sends the signed phone certificate to the phone. Public Key of Phone External CAs are currently not supported with Cisco Unified CallManager 5! CAPF CCM1 1

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Keys and Certificate Storage in Cisco IP Telephony IP phones: Keys and certificate are stored in IP phone nonvolatile memory. IP telephony servers (Cisco Unified CallManager, CAPF, TFTP): Keys and certificate are stored on the hard disk of the Cisco Unified CallManager appliance (no user access). Cisco CTL client (trusted introducer): Keys and certificate are stored on security tokens.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication and Integrity Cisco Unified CallManager allows authentication of calls: Device authentication for the IP phone and the server is provided using device certificates and digital signatures. Authentication and integrity of signaling messages are provided using TLS SHA-1 HMAC.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Certificate Exchange in TLS At the beginning of a TLS session, the server and the IP phone exchange certificates in a TLS handshake. The certificates are then validated. Phone Hello Cisco Unified CallManager Hello Cisco Unified CallManager Certificate Certificate Request Phone Certificate

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Server-to-Phone Authentication The IP phone sends a random challenge to the server and requests that the server sign it. The server signs the random challenge with its RSA private key and returns it to the IP phone. The IP phone verifies the signature using the RSA public key of the server (available locally in the CTL). Phone Hello Cisco Unified CallManager Hello Cisco Unified CallManager Certificate Certificate Request Phone Certificate Challenge1 Response1

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone-to-Server Authentication The server sends a random challenge to the IP phone and requests that the phone sign it. The IP phone signs the random challenge with its RSA private key and returns it to the server. The server verifies the signature using the RSA public key of the IP phone just received over the network (in the certificate). Phone Hello Cisco Unified CallManager Hello Cisco Unified CallManager Certificate Certificate Request Phone Certificate Challenge1 Response1 Challenge2 Response2

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v TLS SHA-1 Session Key Exchange The IP phone generates a session key for SHA-1 hashing, encrypts it using the public RSA key of the server, and sends it to the server. The server decrypts the message, and now the IP phone and the server can start signing signaling messages (signaling channel integrity). Phone Hello Cisco Unified CallManager Hello Cisco Unified CallManager Certificate Certificate Request Phone Certificate Challenge1 Response1 Challenge2 Response2 Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authenticated Signaling Using TLS Each signaling message (SCCP or SIP) is carried over authenticated (signed) TLS packets. TLS SCCP or SIP SHA-1

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Encryption Cisco Unified CallManager also allows encryption of calls: For signaling messages, using TLS encryption with AES encryption For media transfer, using SRTP AES encryption To ensure the authenticity of encrypted packets, encryption is supported only if combined with authentication (applies to both TLS and SRTP).

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v TLS AES Encryption If configured for encryption, the IP phone will create not only a SHA-1 key but also an AES key after the two-way authentication. The IP phone encrypts both keys using the public RSA key of the server and sends them to the server. The server decrypts the message, and now the IP phone and the server can start signing and encrypting signaling messages. Phone Hello Cisco Unified CallManager Hello Cisco Unified CallManager Certificate Certificate Request Phone Certificate Challenge1 Response1 Challenge2 Response2 Key Exchange

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v SRTP Media Encryption SRTP session keys (for media authentication and media encryption) are generated by: –The phone itself, if using SIP –Cisco Unified CallManager, if using SCCP Keys are sent (SCCP) or passed on (SIP) to the IP phones by Cisco Unified CallManager inside signaling messages. To ensure protection of media key distribution, encrypted signaling is mandatory.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v SRTP Packet Format VPXCCMPTSequence Number Time Stamp Synchronization Source (SSRC) Identifier Contributing Sources (CSRC) Identifier... RTP Extension (Optional) RTP Payload SRTP MKI0 Bytes for Voice SHA-1 Authentication Tag (Truncated Fingerprint) Encrypted DataAuthenticated Data

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v SRTP Encryption The sender encrypts the RTP payload using the AES algorithm and the AES key received from Cisco Unified CallManager. The receiver uses the same AES key (also received from Cisco Unified CallManager) to decrypt the RTP payload. Voice AES 74lizE122U Encrypted Voice AB AES 74lizE122U

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Voice or Encrypted Voice SRTP Authentication The sender hashes the RTP payload together with the SHA-1 key received from Cisco Unified CallManager. The hash digest is added to the RTP packet, and the combined packet is sent to the receiver. The receiver uses the same SHA-1 key (also received from Cisco Unified CallManager) to verify the hash digest. + SHA-1 Ss8ds197id Hash Ss8ds197id Voice or Encrypted Voice AB

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure Call Flow Summary 1. IP phones and Cisco Unified CallManager exchange certificates. 2. IP phones and Cisco Unified CallManager authenticate each other. 3. IP phones create TLS session keys for SHA-1 authentication and AES encryption. 4. IP phones encrypt session keys with Cisco Unified CallManager public key and send the keys to Cisco Unified CallManager. 5. Cisco Unified CallManager shares TLS keys with each IP phone and starts secure exchange of signaling messages. 6. Session keys for SRTP SHA-1 authentication and SRTP AES encryption are generated and then exchanged via Cisco Unified CallManager. 7. IP phones share SRTP keys and start secure media exchange.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Summary Threats targeting Cisco IP telephony include eavesdropping, IP phone image and configuration file tampering, and DoS attacks. Cisco IP telephony uses authentication and encryption techniques to protect against such threats. There is no single PKI topology in Cisco IP telephony. IP phones can use preinstalled certificates (MICs) or use LSCs issued by CAPF or a company CA. The Cisco CTL client acts as a trusted introducer for the various PKI systems.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Summary (Cont.) Cisco Unified CallManager stores self-signed certificates at the local hard disk, the keys used by the Cisco CTL client are stored on security tokens, and IP phones store keys in protected nonvolatile memory. Cisco Unified CallManager supports device authentication, authenticated signaling using TLS SHA-1, and authenticated media using SRTP SHA-1. Cisco Unified CallManager supports encryption of signaling messages using TLS AES and encryption of media using SRTP AES.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v