McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 42

↗ View in doc context
page
42
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::30

Algorithms on a Secure Call Unified Communications Manager is enhanced to allow negotiation of the added algorithms on a secure call. As part of this enhancement, the SCCP version has been increased to version 23 in Unified Communications Manager. Newer Open Receive Channel (ORC) and Start Media Transmission (SMT) version 23 structures are implemented with MAX_KEY_SIZE = 32 to support Key and Salt sizes for the new SHA-2 cipher suites. SHA-2 isn’t supported on the SCCP phones, H323, and MGCP. Note To secure media for analog endpoints registered over SCCP: • Call between two secure SCCP Analog endpoints registered to Unfied CM must negotiate with one of the SHA-2 ciphers: AEAD_AES_256_GCM OR AEAD_AES_128_GCM. • Call between a secure SCCP Analog endpoint and a SIP endpoint that has SHA-2 support, registered to Unfied CM negotiates with one of the SHA-2 ciphers: AEAD_AES_256_GCM OR AEAD_AES_128_GCM. To secure media when the conference is hosted on Hardware conference bridge: • When an SCCP Analog endpoint or SIP endpoint that has SHA-2 support is connected to the SCCP Hardware conference bridge, then SHA-2 ciphers negotiate: AEAD_AES_256_GCM OR AEAD_AES_128_GCM. • During a secure conference call, if a mix of media establishment algorithms is present in the endpoints of the secure SCCP conference, the conference bridge negotiates the corresponding algorithm in that particular call leg. AES 256 Encryption Support for TLS and SIP SRTP Cisco Collaboration Solutions use Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP) for signaling and media encryption. Currently, Advanced Encryption Standard (AES) with a 128-bit encryption key is used as the encryption cipher. AES also uses Hash-based Message Authentication Code Secure Hash Algorithm-1 (HMAC-SHA-1) as the authentication method. These algorithms cannot effectively scale to meet the required changing security and performance needs. To meet escalating security and performance requirements, the algorithms and protocols for encryption, authentication, digital signatures, and key exchange in Next-Generation Encryption (NGE) are developed. Also, AES 256 encryption support is provided instead of AES 128 for TLS and Session Initiation Protocol (SIP) SRTP that supports NGE. The AES 256 encryption support for TLS and SIP SRTP is enhanced to focus on AES 256 cipher support in signaling and media encryption. This feature is useful for the applications that run on Unified Communications Manager to initiate and support TLS 1.2 connections with the AES-256 based ciphers that conform to SHA-2 (Secure Hash Algorithm) standards and is Federal Information Processing Standards (FIPS) compliant. This feature has the following requirements: • The connection that the SIP trunk and SIP line initiates. • The ciphers that Unified Communications Manager supports for SRTP calls over SIP line and SIP trunk. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 24 An Introduction to Unified CM Security AES 256 Encryption Support for TLS and SIP SRTP