Specifications
1-13
Cisco Unified IP Phone 7931G Administration Guide for Cisco Unified Communications Manager 8.0 (SCCP and SIP)
OL-20798-01
Chapter 1 An Overview of the Cisco Unified IP Phone
Understanding Security Features for Cisco Unified IP Phones
Overview of Supported Security Features
Table 1-4 provides an overview of the security features that the Cisco Unified IP Phone 7931G
supports. For more information about these features and about Cisco Unified CM and
Cisco Unified IP Phone security, see the Cisco Unified Communications Manager Security Guide.
For information about current security settings on a phone, look at the settings on the Security
Configuration menus on the phone
. For more information, see Security Configuration Menu, page 4-35
and Security Configuration Menu, page 4-30.
Note Most security features are available only if a Certificate Trust List (CTL) is installed on the phone. For
more information about the CTL, see the Cisco Unified Communications Manager Security Guide,
Configuring the Cisco CTL Client.
Table 1-4 Overview of Security Features
Feature Description
Image authentication Signed binary files (with the extension .sbn) prevent tampering with the firmware image before
it is loaded on a phone. Tampering with the image causes a phone to fail the authentication
process and reject the new image.
Customer-site certificate
installation
Each Cisco Unified IP Phone requires a unique certificate for device authentication. Phones
include a manufacturing installed certificate (MIC), but for additional security, you can specify
in Cisco Unified CM Administration that a certificate be installed by using the Certificate
Authority Proxy Function (CAPF). Alternatively, you can install an LSC from the Security
Configuration menu on the phone. For more information, see Configuring Security on the Cisco
Unified IP Phone, page 3-9.
Device authentication Occurs between the Cisco Unified CM server and the phone when each entity accepts the
certificate of the other entity. Determines whether a secure connection between the phone and a
Cisco Unified CM should occur, and, if necessary, creates a secure signaling path between the
entities using transport layer security (TLS) protocol. Cisco Unified CM will not register phones
unless they can be authenticated by the Cisco Unified CM.
File authentication Validates digitally signed files that the phone downloads. The phone validates the signature to
make sure that file tampering did not occur after the file creation. Files that fail authentication
are not written to Flash memory on the phone. The phone rejects such files without further
processing.
Signaling Authentication Uses the TLS protocol to validate that no tampering has occurred to signaling packets during
transmission.
Manufacturing installed
certificate
Each Cisco Unified IP Phone contains a unique manufacturing installed certificate (MIC),
which is used for device authentication. The MIC is a permanent unique proof of identity for the
phone, and allows Cisco Unified CM to authenticate the phone.
Secure SRST reference After you configure a SRST reference for security and then reset the dependent devices in
Cisco Unified CM Administration, the TFTP server adds the SRST certificate to the phone
cnf.xml file and sends the file to the phone. A secure phone then uses a TLS connection to
interact with the SRST-enabled router.
Media encryption Uses SRTP to ensure that the media streams between supported devices proves secure and that
only the intended device receives and reads the data. Includes creating a media master key pair
for the devices, delivering the keys to the devices, and securing the delivery of the keys while
the keys are in transport.