cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1820
Views
0
Helpful
3
Replies

7921G phone and encryption

sergiwrk1
Level 1
Level 1

Hi all!

We have several 7921G phones which we want to integrate in our WiFi network.

Such WiFi is protected by using EAP-TLS, so we have installed the corresponding

certificates to one testing phone. We have discovered that the phone does not

support certificates with RSA keys with a size greater than than 2048 bits and,

at the same time, their signatures must be always generated by using the SHA1

hashing algorithm. This fact also appears in the related documentation of the

phone. As a consequence we have a problem since the root certificate of the CA

use a key of 4096 bits and the SHA256 algorithm. We have also updated the

firmware to the latest version without success regarding this. Anyone knows if

there is any plan to a firmware update to support keys with a greater size and

another hashing algorithms? Currently, SHA1 algorithm is considered as

deprecated and the security community recommends to use another hash algorithm,

as the same as occurs with the size of the keys.

Sergi

2 Accepted Solutions

Accepted Solutions

Hi Sergi,

This 7921G already EoL product list, so do not expect any firmware update for it.

http://www.cisco.com/en/US/products/ps7071/

I do not think even any newer phones 7925G will support 4096 bit keys as well.7925G only support key length of 1024 or 2048. Refer this deployment guide for detail (page 97)

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

HTH

Rasika

*** Pls rate all useful responses *****

View solution in original post

migilles
Cisco Employee
Cisco Employee

It is true that the 7921 is not sold any longer but is supported through Nov 2014.
So will offer software release for the 7921 until then.
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps7071/end_of_life_notice_c51-682734.html

However, the 7921 and 7925/7926 will not support certs with 4096 bit keys or SHA-2 signatures.

Any future handsets will have 4096 bit key and SHA-2 support though.


Sent from Cisco Technical Support iPhone App

View solution in original post

3 Replies 3

Hi Sergi,

This 7921G already EoL product list, so do not expect any firmware update for it.

http://www.cisco.com/en/US/products/ps7071/

I do not think even any newer phones 7925G will support 4096 bit keys as well.7925G only support key length of 1024 or 2048. Refer this deployment guide for detail (page 97)

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

HTH

Rasika

*** Pls rate all useful responses *****

migilles
Cisco Employee
Cisco Employee

It is true that the 7921 is not sold any longer but is supported through Nov 2014.
So will offer software release for the 7921 until then.
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps7071/end_of_life_notice_c51-682734.html

However, the 7921 and 7925/7926 will not support certs with 4096 bit keys or SHA-2 signatures.

Any future handsets will have 4096 bit key and SHA-2 support though.


Sent from Cisco Technical Support iPhone App

Thank you for your answers!

I do not know if this obeys some kind of hardware limitations, but it is strange that these features will not be supported as a firmware update :-(

Do you know when a similar handset with these features (i.e. keys with 4096 bits key and SHA-2 hashing algorithm) will be released?

Sergi


Review Cisco Networking for a $25 gift card