beautypg.com

Polycom SOUNDPOINT SIP 2.2.0 User Manual

Page 228

background image

Administrator’s Guide SoundPoint IP / SoundStation IP

C - 4

A key is generated by the utility and must be downloaded to the phone so that

it can decrypt the files that were encrypted on the server. The
device.sec.configEncryption.key

configuration file parameter is used to

set the key on the phone. The utility generates a random key and the

encryption is Advanced Encryption Standard (AES) 128 in Cipher Block

Chaining (CBC) mode. An example key would look like this:

Crypt=1;KeyDesc=companyNameKey1;Key=06a9214036b8a15b512e03d534120006;

If the phone doesn't have a key, it must be downloaded to the phone in plain

text (a potential security hole if not using HTTPS). If the phone already has a

key, a new key can be downloaded to the phone encrypted using the old key

(refer to

Changing the Key on the Phone

on page

C-5

). At a later date, new

phones from the factory will have a key pre-loaded in them. This key will be

changed at regular intervals to enhance security
It is recommended that all keys have unique descriptive strings in order to

allow simple identification of which key was used to encrypt a file. This makes

boot server management easier.
After encrypting a configuration file, it is useful to rename the file to avoid

confusing it with the original version, for example rename sip.cfg to sip.enc.

However, the directory and override filenames cannot be changed in this

manner.
You can check whether an encrypted file is the same as an unencrypted file by:

1.

Run the configFileEncrypt utility on the unencrypted file with the "-d"

option. This shows the "digest" field.

2.

Look at the encrypted file using WordPad and check the first line that

shows a "Digest=…." field. If the two fields are the same, then the

encrypted and unencrypted file are the same.

Note

If a phone downloads an encrypted file that it cannot decrypt, the action is logged,
an error message displays, and the phone reboots. The phone will continue to do
this until the boot server provides an encrypted file that can be read, an
unencrypted file, or the file is removed from the master configuration file list.

Note

The SoundPoint IP 300 and 500 phones will always fail at decrypting files. These
phones will recognize that a file is encrypted, but cannot decrypt it and will display
an error. This information is logged. Encrypted configuration files can only be
decrypted on the SoundPoint IP 301, 320, 330, 430, 501,550, 600, 601, and 650
and the SoundStation IP 4000 phones.

The master configuration file cannot be encrypted on the boot server. This file is
downloaded by the bootROM that does not recognize encrypted files. For more
information, refer to

Master Configuration Files

on page

2-5

.