====== Secure IP Phone ======
**Encrypted and Authenticated Signaling**
  * IP phones and CUCM exchange certificates
  * IP phones and CUCM authenticate each other.
  * IP phones create TLS session keys for SHA-1 authentication and AES encryption
  * IP phones encrypt session keys with CUCM public key and send the keys to CUCM
  * CUCM shares TLS keys with each IP phone and starts secure exchange of signaling
**Encrypted and Authenticated RTP**
  * Session keys for SRTP SHA-1 authentication and SRTP AES encryption are generated and then exchanged via CUCM
  * IP phones share SRTP keys and start secure media exchange

===== TLS Secure Signaling =====
**Certificate Exchange in TLS**
  * Phone Hello
    * Negotiate the encryption parameters
  * The server and IP phone exchange certificates in a TLS handshake

**Server to IP Phone Authentication**
  * The IP phone sends a random challenge to the server and requests that the server signs it.
  * The server signs the random challenge with its RSA private key and returns it to the IP Phone
  * The IP phone verifies the signature by using the RSA public key of the server (available locally in the CTL)

**IP Phone to Server Authentication**
  * The server sends a random challenge to the IP phone and requests that the phone signs it.
  * The IP phone signs the random challenge with its RSA private key and returns it to the server
  * The server verifies the signature by using the RSA public key of the IP phone that was just received over the network (in the certificate)

**TLS Session Key Exchange**
  * The IP phone generates session keys, encrypts them using the public RSA key of the server, and sends them to the server
    * For SHA-1 and HMAC authentication
    * For AES encryption
  * The server decrypts the message, and now the IP phone and the server share session keys that can be used for signaling protection.
{{cucm-sec-ipphone1.png|}}

**Authenticated Signaling using TLS**
  * Each signaling message (SCCP or SIP) is carried over secure TLS packets.
{{cucm-sec-ipphone2.png|}}

===== Secure RTP =====
  * SRTP session keys are generated by:
    * The phone itself, if using SIP (Peer to Peer)
    * CUCM if using SCCP (Client/Server)
  * Keys are sent (SCCP) or passed on (SIP) to the IP phones by CUCM inside signaling messages.
  * To ensure protection of media key distribution, encrypted signaling is mandatory.
{{cucm-sec-ipphone3.png|}}

**SRTP Encryption**
  * The sender encrypts the RTP payload by using AES algorithm and the AES key received from CUCM
  * The receiver uses the same AES key (also received from CUCM) to decrypt the RTP payload
{{cucm-sec-ipphone4.png|}}

**SRTP Authentication**
  * The sender hashes the RTP header and RTP payload together with the SHA-1 key received from CUCM
  * The hash digest is added to the RTP packet, and the combined packet is sent to the receiver
  * The receiver uses the same SHA-1 key (also received from CUCM) to verify the hash digest
{{cucm-sec-ipphone5.png|}}

===== Configuration =====

==== PKI ====
  * Enable [[cucm-pki|Public Key Infrastructure (PKI)]]

==== Phone Security Profile ====
  * Authentication and encryption are enabled by setting the device security mode in phone security profile.
  * There are three options
    * Non-Secure (default)
    * Authenticated
    * Encrypted
{{cucm-sec-ipphone6.png|}}