Cisco 8831 Administration Manual page 33

Cisco Unified IP Conference Phone 8831
Feature
Customer-site certificate
installation
Device authentication
File authentication
Signalling Authentication
Manufacturing installed
certificate
Secure SRST reference
Media encryption
CAPF (Certificate Authority
Proxy Function)
Description
Each conference phone requires a unique certificate for device authentication.
Conference phones include a manufacturing installed certificate (MIC), but
for additional security, you can specify in Cisco Unified Communications
Manager Administration that a certificate be installed by using the Certificate
Authority Proxy Function (CAPF). Alternatively, you can install a Locally
Significant Certificate (LSC) from the Security Configuration menu on the
phone.
Occurs between the Cisco Unified Communications Manager server and the
conference phone when each entity accepts the certificate of the other entity.
Determines whether a secure connection between the conference phone and
a Cisco Unified Communications Manager should occur; and, if necessary,
creates a secure signaling path between the entities by using TLS protocol.
Cisco Unified Communications Manager will not register conference phone
unless they can be authenticated by the Cisco Unified Communications
Manager.
Validates digitally signed files that the conference phone downloads. The
conference phone validates the signature to make sure that file tampering
did not occur after the file creation. Files that fail authentication are not
written to Flash memory on the conference phone. The conference phone
rejects such files without further processing.
Uses the TLS protocol to validate that no tampering has occurred to signalling
packets during transmission.
Each conference phone contains a unique manufacturing installed certificate
(MIC), which is used for device authentication. The MIC is a permanent
unique proof of identity for the conference phone, and allows Cisco Unified
Communications Manager to authenticate the phone.
After you configure a SRST reference for security and then reset the
dependent devices in Cisco Unified Communications Manager
Administration, the TFTP server adds the SRST certificate to the cnf.xml
file and sends the file to the phone. A secure phone then uses a TLS
connection to interact with the SRST-enabled router.
Uses SRTP to ensure that the media streams between supported devices
proves secure and that only the intended device receives and reads the data.
Includes creating a media master key pair for the devices, delivering the keys
to the devices, and securing the delivery of the keys while the keys are in
transport.
Implements parts of the certificate generation procedure that are too
processing-intensive for the conference phone, and interacts with the
conference phone for key generation and certificate installation. The CAPF
can be configured to request certificates from customer-specified certificate
authorities on behalf of the conference phone, or it can be configured to
generate certificates locally.
Cisco Unified IP Conference Phone 8831 Administration Guide for Cisco Unified Communications Manager 9.0
Supported security features
23