Creating XML Provisioning Scripts
Compression and Encryption
Provisioning Guide for Cisco SPA100 and SPA200 Series Analog Telephone Adapters 21
2
Encryption by using AES
A configuration profile can be encrypted by using symmetric key encryption,
whether or not the file is compressed. The supported encryption algorithm is the
American Encryption Standard (AES), using 256-bit keys, applied in cipher block
chaining mode.
NOTE Compression must precede encryption for the ATA to recognize a compressed and
encrypted profile. A tutorial on encryption is provided in Profile Encryption by
using OpenSSL, page 62.
The OpenSSL encryption tool, available for download from various Internet sites,
can be used to perform the encryption. Support for 256-bit AES encryption might
require recompilation of the tool (to enable the AES code). The firmware has been
tested against version openssl-0.9.7c.
If the file is encrypted, the profile expects the file to have the same format as
generated by the following command:
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out
profile.cfg
# analogous invocation for a compressed xml file
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out
profile.cfg
A lower case -k precedes the secret key, which can be any plain text phrase and is
used to generate a random 64-bit salt. Then, in combination with the secret
specified with the -k argument, the encryption tool derives a random 128-bit initial
vector, and the actual 256-bit encryption key.
When this form of encryption is used to encrypt a configuration profile, the ATA
must be informed of the secret key value to decrypt the file. This value is specified
as a qualifier in the profile URL. The syntax is as follows, using an explicit URL:
[--key “SecretPhrase1234”] http://prov.telco.com/path/profile.cfg
This value is programmed by using one of the Profile_Rule parameters. The key
must be preprovisioned into the unit at an earlier time. This bootstrap of the secret
key can be accomplished securely by using HTTPS.
To Next Page
Loading...
Need help?
General
