cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
1
Helpful
3
Replies

Unity Connection Message Store Encryption

rchaseling
Level 4
Level 4

Hi,

I've a quick query about how messages on Unity Connection 10+ are stored if the audio stream is send as sRTP. Are the messages actually stored encrypted as sRTP or does the Unity server decrypt on arrival and actually store as G711 ?

Thanks

3 Replies 3

Manish Gogna
Cisco Employee
Cisco Employee

Hi,

The process of authentication and encryption of Cisco Unity Connection voice messaging ports is as follows:

1. Each Cisco Unity Connection voice messaging port connects to the TFTP server, downloads the CTL file, and extracts the certificates for all Cisco Unified CM servers.

2. Each Cisco Unity Connection voice messaging port establishes a network connection to the Cisco Unified CM TLS port. By default, the TLS port is 2443, though the port number is configurable.

3. Each Cisco Unity Connection voice messaging port establishes a TLS connection to the Cisco Unified CM server, at which time the device certificate is verified and the voice messaging port is authenticated.

4. Each Cisco Unity Connection voice messaging port registers with the Cisco Unified CM server, specifying whether the voice messaging port will also use media encryption.

Behavior for Calls

When a call is made between Cisco Unity Connection and Cisco Unified CM, the call-signaling messages and the media stream are handled in the following manner:

If both end points are set for encrypted mode, the call-signaling messages and the media stream are encrypted.

If one end point is set for authenticated mode and the other end point is set for encrypted mode, the call-signaling messages are authenticated. But neither the call-signaling messages nor the media stream are encrypted.

If one end point is set for non-secure mode and the other end point is set for encrypted mode, neither the call-signaling messages nor the media stream are encrypted.

Manish

Thanks for the detailed response Manish but not exactly what I was looking for though I'd say from looking at the above you'll be able to answer quickly.

The customer wants to know how the voicemail messages are actually stored within Unity Connection if encryption is used between UCM and CUC. Are the messages actually stored as sRTP? In other words......if TAC or someone gained root access could they access and listen to any messages.

Its a customer compliance question

Thanks

This is an interesting question. The only documentation I could find related to it is from UCXN 1.0 (refer to the following doc).

http://www.cisco.com/en/US/docs/voice_ip_comm/connection/1x/administration/guide/acm160.html#wp1041017

The menu items mentioned in the doc to enable encryption of secure messages do not appear to exist on modern versions of UCXN (I just checked on 11.X).

However, even if modern UCXN versions did use the same encryption methods as UCXN 1.X, if someone has root access to your system, chances are they would be able to export the private key used to encrypt the messages.

If someone else has run across this I would be interested to know the answer as well.