Encrypted files on the ip phone, Configuration file encryption method, Encrypted files on the ip phone -2 – AASTRA 6700i series, 9143, 9480i, 9480i CT SIP Administrator Guide EN User Manual

7-2

41-001343-01 Rev 03, Release 3.2.2

Encrypted Files on the IP Phone

An encryption feature for the IP phone allows Service Providers the capability of storing

encrypted files on their server to protect against unauthorized access and tampering of sensitive

information (i.e., user accounts, login passwords, registration information). Service Providers

also have the capability of locking a phone to use a specific server-provided configuration only.

Configuration File Encryption Method

Only a System Administrator can encrypt the configurations files for an IP Phone. System

Administrators use a password distribution scheme to manually pre-configure or automatically

configure the phones to use the encrypted configuration with a unique key.

From a Microsoft Windows command line, the System Administrator uses an Aastra-supplied

encryption tool called "anacrypt.exe" to encrypt the <mac>.tuz file.

This tool processes the plain text <mac>.cfg, <model>.cfg, and aastra.cfg files and creates

triple-DES encrypted versions called <mac>.tuz, <model>.tuz, and aastra.tuz. Encryption is

performed using a secret password that is chosen by the administrator.

The encryption tool is also used to create an additional encrypted tag file called security.tuz,

which controls the decryption process on the IP phones. If security.tuz is present on the TFTP/

FTP/HTTP server, the IP phones download it and use it locally to decrypt the configuration

information from the aastra.tuz and <mac>.tuz files. Because only the encrypted versions of the

configuration files need to be stored on the server, no plain-text configuration or passwords are

sent across the network, thereby ensuring security of the configuration data.

To make changes to the configuration files, the System Administrator must save the original

files.

Note:

Aastra also supplies encryption tools to support Linux platforms

(anacrypt.linux) if required.

Note:

If the use of encrypted configuration files is enabled (via

security.tuz

or pre-provisioned on the IP phone) the aastra.cfg,

<model>.cfg,

and <mac>.cfg files are ignored, and only the encrypted

equivalent files aastra.tuz, <model>.tuz, and <mac>.tuz are read.