Terms and Acronyms
The definitions in the following table apply when you configure authentication, encryption, and other security features for your CiscoIPtelephony network:
Term |
Definition |
---|---|
Access Control List (ACL) |
List that defines rights and permissions to access system functions and resources. See Method List. |
Authentication |
Process that verifies the identity of the communicating entity. |
Authorization |
Process that specifies whether an authenticated user, service, or application has the necessary permissions to perform a requested action; in Unified Communications Manager, the security process that restricts certain trunk-side SIP requests to authorized users. |
Authorization Header |
A SIP user agent response to a challenge. |
Certificate |
A message that contains the certificate holder name, the public key, and the digital signature of the certificate authority that is issuing the certificate. |
Certificate Authority (CA) |
Trusted entity that issues certificates: Cisco or a third-party entity. |
Certificate Authority Proxy Function (CAPF) |
Process by which supported devices can request locally significant certificates by using Unified Communications Manager Administration. |
Certificate Trust List (CTL) |
A file, which is created either with the CLI command set utils cli or with the CTL Client and signed by the Cisco Site Administrator Security Token (security token), that contains a list of certificates for servers that the phone is to trust. |
Challenge |
In digest authentication, a request to a SIP user agent to authenticate its identity. |
Cisco Site Administrator Security Token (security token; etoken) |
A portable hardware security module that contains a private key and an X.509v3 certificate that the Cisco Certificate Authority signs; used for file authentication, it may be used to sign the CTL file. Hardware security tokens are required for only the CTL Client. The CLI command set utils ctl does not require hardware security tokens. |
Device Authentication |
Process that validates the identity of the device and ensures that the entity is what it claims to be before a connection is made. |
Digest Authentication |
A form of device authentication where an MD5 hash of a shared password (among other things) gets used to establish the identity of a SIP user agent. |
Digest User |
User name that is included in an authorization request that phones that are running SIP or SIP trunks send. |
Digital Signature |
Value that is generated by hashing the message and then encrypting the message with the private key of the signer; the recipient decrypts the message and the hash with the signer public key, produces another hash with the same hash function, then compares the two hashes to ensure that the messages match and the content is intact. |
DSP |
Digital signaling processor. |
DSP Farm |
A network resource for IP telephony conferencing that is provided by DSPs on a H.323 or MGCP gateway. |
Encryption |
Process of translating data into ciphertext, which ensures the confidentiality of the information and that only the intended recipient can read the data. Requires an encryption algorithm and encryption key. |
File Authentication |
Process that validates digitally signed files that the phone downloads. The phone validates the signature to make sure that file tampering did not occur after the file creation. |
H.323 |
An internet standard that defines a common set of codecs, call setup and negotiating procedures, and basic data transport methods. |
hash |
A number, usually in hexadecimal, that is generated from a string of text by using a hash function, which creates a small digital "fingerprint" for the data. |
Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) |
An IETF-defined protocol that ensures (at a minimum) the identity of the HTTPS server; by using encryption, ensures the confidentiality of the information that is exchanged between the Tomcat server and the browser client. |
Image Authentication |
Process whereby a phone validates the integrity and source of a binary image prior to loading it on the phone. |
Integrity |
Process that ensures that data tampering did not occur between entities. |
IPSec |
Transport that provides secure H.225, H.245, and RAS signaling channels for end-to-end security. |
Locally Significant Certificate (LSC) |
A digital X.509v3 certificate that CAPF issues; installed on the phone or JTAPI/TAPI/CTI application. |
Manufacture Installed Certificate (MIC) |
A digital X.509v3 certificate that is signed by the Cisco Certificate Authority and installed in supported phones by Cisco Manufacturing; used as the authentication mechanism to CAPF when LSCs are installed in phones. |
Man-in-the-Middle Attacks |
Process that allows an attacker to observe and modify the information flow between Unified Communications Manager and the phone. |
Multipoint Control Unit (MCU) |
A flexible system to connect multiple H.323 endpoints and allow multiple users to participate in IP-based video conferences. |
MD5 |
A hash function that is used with encryption. |
Media Encryption |
Process whereby the confidentiality of the media is protected with cryptographic procedures. Media encryption uses Secure Real-Time Protocol (SRTP) as defined in IETFRFC3711. |
Message/Data Tampering |
Event when an attacker attempts to alter messages in transit, including ending a call prematurely. |
Method List |
Tool to restrict certain categories of messages that can come in on a SIP trunk during the authorization process; defines which SIP nonINVITE methods are allowed for a trunk-side application or device. Also method ACL. |
Mixed Mode |
Unified Communications Manager security mode that you configure to allow devices with secure/nonsecure profiles and RTP/ SRTP media to connect to Unified Communications Manager. |
Nonce |
A unique, random number that the server generates for each digest authentication request; used to generate an MD5 hash. |
Nonsecure Mode |
Unified Communications Manager security mode that you configure to allow devices with nonsecure profiles and RTP media to connect to Unified Communications Manager. |
Nonsecure Call |
Call in which at least one device is not authenticated or encrypted. |
Nonsecure Device |
Device that uses UDP or TCP signaling and nonsecure media. |
PKI |
Public key infrastructure, which comprises the set of elements that is needed for public key encryption, including secure public key distribution, certificates, and certificate authorities. |
Public / Private key |
Keys that are used in encryption. Public keys are widely available, but private keys are held by their respective owners. Asymmetrical encryption combines both types. |
Replay Attack |
Event when an attacker captures information that identifies a phone or proxy server and replays information while pretending to be the actual device; for example, by impersonating the proxy server private key. |
RTP |
Real-Time Transport Protocol |
Simple Certificate Enrollment Protocol (SCEP) |
A protocol that is used to communicate with a certificate authority that issues X.509 certificates. |
Secure Call |
Call in which all devices are authenticated, signaling is encrypted, and the media (voice stream) is encrypted. |
Signaling Authentication |
TLS process that validates that no tampering occurred to signaling packets during transmission. |
Signaling Encryption |
Process that uses cryptographic methods to protect the confidentiality of all signaling messages that are sent between the device and the Unified Communications Manager server. |
SIP Realm |
A string (name) that Unified Communications Manager uses to respond to a challenge. |
SRTP |
Secure Real-Time Transport Protocol that secures voice conversation in the network and provides protection against replay attacks. |
SSL |
A cryptographic protocol that secures data communications such as e-mail on the Internet; equivalent to TLS, its successor. |
Transport Layer Security (TLS) |
A cryptographic protocol that secures data communications such as e-mail on the Internet; functionally equivalent to SSL. |
Trust List |
Certificate list without digital signatures. |
Trust Store |
A repository of X.509 certificates that an application, such as Unified Communications Manager, explicitly trusts. |
X.509 |
An ITU-T cryptographic standard for importing PKI certificates, which includes certificate formats. |