Cryptographic Controls
Certificate Management:
The certificates are used to authenticate the communicating parties in the handshake procedure. Each server has a private key and a public key. A message that is encrypted with the private key can only be decrypted with the public key. If a message is encrypted with the public key it can only be decrypted by
the owner of the private key. For more information about certificate management, see the description for SECURITY and the operational directions for CERTIFICATE MANAGEMENT.
Digital Signature Algorithms:
In MX-ONE, the certificates used by the encryption mechanisms can be signed by RSA or ECDSA algorithms digitally
- SIPLP (TCP Port 5061, 22223)
- Configure Server (TCP Port 22226)
- CSTA server (TCP Port 8883)
- Provisioning Manager and Service Node Manager (TCP Port 443)
VoIP Security:
The Voice over IP (VoIP) signaling between IP terminals and the SIP proxy or the H.323 Gatekeeper (the MX-ONE Service Node) is protected by the Transport Layer Secure (TLS) cryptographic protocol. TLS provides a secure way to interchange the cipher keys needed in the later Secure Real-time Transport Protocol (SRTP) media transfer session. For more information about VoIP, see the operational directions for VOIP SECURITY .
Media Encryption:
Secure Real-time Transport Protocol (SRTP) is used to protect the media streams of the voice communication.
MX-ONE supports the use of SRTP for media encryption in the IP phones and the Media Gateway Lite and MX- ONE Classic. SRTP makes use of the Advanced Encryption Standard (AES) with different key lengths to protect the media streams.
For information about how to enable or disable SRTP, see the operational directions for VOIP SECURITY .
Signaling Encryption:
The Transport Layer Security (TLS) provides secure access to IP phones and web services and secure signaling between IP phones and MX-ONE Service Nodes.
For information on how to enable/disable TLS, see operational directions for CERTIFICATE MANAGEMENT.
Security Policy Management:
The Security Policy determines how IP entities in the system are allowed to register in the system. If security exceptions are allowed certain directory numbers or terminal types can be allowed to be used even if they do not support TLS or SRTP. For more information about the security policy and how to set it up, see the operational directions for VOIP SECURITY .