Using Https; How Https Works - Linksys SPA2102-AU Provisioning Manual

Using HTTPS

Table 1-1
SEC-PRV-1
SEC-PRV-2
Using HTTPS
The SPA provides a reliable and secure provisioning strategy based on HTTPS requests from the SPA to
the provisioning server, using both server and client certificates for authenticating the client to the server
and the server to the client.
To use HTTPS with Linksys SPA units, you must generate a Certificate Signing Request (CSR) and
submit it to Linksys. Linksys generates a certificate for installation on the provisioning server that is
accepted by the SPA units when they seek to establish an HTTPS connection with the provisioning
server. This procedure is described in the

How HTTPS Works

Starting with firmware release 2.0.6 , the SPA implements SSL, which lets the SPA client to connect to
servers using HTTPS.
HTTPS encrypts the communication between the client and the server, protecting the message contents
from other intervening network devices. The encryption method for the body of the communication
between client and server is based on symmetric key cryptography. With symmetric key cryptography,
a single secret key is shared by the client and the server over a secure channel protected by Public/Private
key encryption.
Messages encrypted by the secret key can only be decrypted using the same key. HTTPS supports a wide
range of symmetric encryption algorithms. The SPA implements up to 256-bit symmetric encryption,
using the American Encryption Standard (AES), in addition to 128-bit RC4.
HTTPS also provides for the authentication of the server and the client engaged in a secure transaction.
This feature ensures that the provisioning server and an individual client cannot be spoofed by other
devices on the network. This is an essential capability in the context of remote endpoint provisioning.
Linksys SPA Provisioning Guide
1-8
Provisioning States (continued)
Secure Provisioning—Initial Configuration
The initial device-unique CFG file should be targeted to each SPA by compiling
the CFG file with the spc --target option. This provides an initial level of
encryption that does not require the exchange of keys.
The initial device-unique CFG file should reconfigure the profile parameters to
enable stronger encryption, by programming a 256-bit encryption key, and
pointing to a randomly generated TFTP directory. For example, the CFG file
might contain:
Profile_Rule [--key $A] tftp.callme.com/profile/$B/spa2102.cfg;
GPP_A 8e4ca259...;
GPP_B Gp3sqLn...;
Secure Provisioning—Full Configuration
The subsequent profile resync operations retrieve 256-bit encrypted CFG files,
which maintain the SPA in a state synchronized to the provisioning server.
All remaining SPA parameters are configured and maintained through this
strongly encrypted profile. The encryption key and random directory location can
be changed periodically for extra security.
Chapter 1
# 256 bit key
# random CFG file path directory
"Enabling HTTPS" section on page
Provisioning Linksys VoIP Devices
1-13.
Version 3.0