LSC - Authenticated Encrypted and null string - CIPC phones CTL file too long

Alex Nemeth · ‎08-31-2017

Two years ago, the platform I now manage was upgraded from V9 to 10.5. It was a secure mode super cluster consisting of 12000 CIPC phones and 7000 various hard phones.

The upgrade broke the secure mode on the CIPC which would not registered and have to be switch to a non secure phone profile and the LSC was removed. The problem was recently uncovered and attributed to a bug where if the CTL files is over 3200 bytes the CIPC phones will not accept it. The CTL files over 5000 bytes was remedied by patch for hard phones but never for CIPC phones.

Over the course of two years this have never been resolved and an open security issue. The repair of this is to reduce the size of the CTL file down to 3200 bytes by deleting and removing expired certificates.

The argument of this is that the security mode of the cluster is authenticated and By Null String. It is believed that this configuration provides SRTP. My interpretation of this security profile is that all it is doing is using the LSC to authenticate to the cluster instead of the MIC and that no security is being provided.

My understanding this configuration is not doing any thing at all, and the same as what the MIC and ITL does in non secure profile?

Manish Gogna · ‎08-31-2017

Hi Alex,

As per the following link:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cipc/8_5/english/administration/CIPC_BK_C0761EC8_00_cipc-administration-guide-release-86/CIPC_BK_C0761EC8_00_cipc-administration-guide-release-86_chapter_01.html

Authentication Mode Settings

Table 7 Security Authentication Settings Supported on Cisco IP Communicator Authentication Mode Field Description

By Authentication String

Installs or upgrades, deletes, or troubleshoots an LSC only when you or the user enters the CAPF authentication string on Cisco IP Communicator.

By Null String

Installs or upgrades, deletes, or troubleshoots an LCS without user intervention

Note

This option provides no security; we strongly recommend that you choose this option only for closed, secure environments.

By Existing Certificate (Precedence to LSC)

Installs or upgrades, deletes, or troubleshoots an LSC if an LSC exists on Cisco IP Communicator. If an LSC exists on Cisco IP Communicator, authentication occurs through the LSC, whether or not another certificate exists on Cisco IP Communicator. If another certificate and an LSC exist on Cisco IP Communicator, authentication occurs through the LSC.

Before you choose this option, verify that a certificate exists on Cisco IP Communicator. If you choose this option and no certificate exists on Cisco IP Communicator, the operation fails.

At any time, Cisco IP Communicator uses only one certificate to authenticate to CAPF. If the primary certificate, which takes precedence, becomes compromised for any reason, or, if you want to authenticate through the other certificate, you must update the authentication mode.

Note

The By Existing Certificate (Precedence to MIC) option is not supported by Cisco IP Communicator.

and the following

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/9_1_1/secugd/CUCM_BK_C0395F44_00_cucm-security-guide-91/CUCM_BK_C0395F44_00_cucm-security-guide-91_chapter_01010.html

Certificate Authority Proxy Function (CAPF), which automatically installs with Cisco Unified Communications Manager, performs the following tasks, depending on your configuration:

Authenticate via an existing Manufacturing Installed Certificate (MIC), Locally Significant Certificate (LSC), randomly generated authentication string, or optional less secure "null" authentication.

Your understanding seems to be correct.

HTH

Manish