AES-256-CBC Encryption
AES-256-CBC Encryption
The phone supports AES-256-CBC encryption for configuration files.
The OpenSSL encryption tool, available for download from various Internet sites, can perform the encryption.
Support for 256-bit AES encryption may require recompilation of the tool to enable the AES code. The
firmware has been tested against version openssl-0.9.7c.
Encrypt a Profile with OpenSSL, on page 64
For an encrypted file, the profile expects the file to have the same format as generated by the following
command:
# example encryption key = SecretPhrase1234
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml –out profile.cfg
# analogous invocation for a compressed xml file
openssl enc –e –aes-256-cbc –k SecretPhrase1234 –in profile.xml.gz –out profile.cfg
A lowercase -k precedes the secret key, which can be any plain text phrase, and which is used to generate a
random 64-bit salt. With the secret specified by the -k argument, the encryption tool derives a random 128-bit
initial vector and the actual 256-bit encryption key.
When this form of encryption is used on a configuration profile, the phone must be informed of the secret key
value to decrypt the file. This value is specified as a qualifier in the profile URL. The syntax is as follows,
using an explicit URL:
[--key "SecretPhrase1234"] http://prov.telco.com/path/profile.cfg
This value is programmed by using one of the Profile_Rule parameters.
Macro Expansion
Several provisioning parameters undergo macro expansion internally prior to being evaluated. This preevaluation
step provides greater flexibility in controlling the phone resync and upgrade activities.
These parameter groups undergo macro expansion before evaluation:
• Resync_Trigger_*
• Profile_Rule*
• Log_xxx_Msg
• Upgrade_Rule
Under certain conditions, some general-purpose parameters (GPP_*) also undergo macro expansion, as
explicitly indicated in
During macro expansion, the contents of the named variables replace expressions of the form $NAME and
$(NAME). These variables include general-purpose parameters, several product identifiers, certain event
timers, and provisioning state values. For a complete list, see
In the following example, the expression $(MAU) is used to insert the MAC address 000E08012345.
The administrator enters: $(MAU)config.cfg
Cisco IP Phone 8800 Series Multiplatform Phone Administration Guide for Release 11.3(1) and Later
82
provides a tutorial on encryption.
Optional Resync Arguments, on page
Cisco IP Phone Provisioning
85.
Macro Expansion Variables, on page
73.