Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Provisiong

We have a provisioning server that we use many different manufactures, Cisco/Linksys(SIpura) as well.

Its using HTTP now, and we were looking to move over to HTTPS - Its my understanding that the standard "known"  certificates (example: Verisign)

will not work. In order to use HTTPS you need to use a Cisco signed Certificate, correct?

My question is two fold - will it not work entirely and there for it will not download or it wont be secure?

I cant install a Cisco certificate as I have files from other manufacturers on the server....

My next question was: The actual files themselves are being processed through the SPC.exe tool, is that enough? are the CFG's "crackable"?

Thanks for any input!!

5 REPLIES
VIP Gold

You need certificate issued

You need certificate issued by authority considered trusted. Either CA embedded in phone by default or CA preconfigured into phone to be trusted by you.

I cant install a Cisco certificate as I have files from other manufacturers on the server....

So you need either

  • install your's CA certificate into phone
  • start HTTPS server dedicated to Cisco/Linksys/Sipura devices on other port.
The actual files themselves are being processed through the SPC.exe tool

No, they may be XML text files as well.

are the CFG's "crackable"

Did you ordered encryption during it's SPC compilation ?

 

New Member

Thanks for you help,Is  -

Thanks for you help,

Is  --target hex_string considered encryption?

VIP Gold

Algorithm of targeting has

Algorithm of targeting has been never published (not surprisingly). But I feel the AES within the compiled file. Unfortunately, key used during targeting is not secret. It is derived algorithmically from known data.

So compiled content is not secret to anyone who know the target MAC and algorithm of key derivation

 

If you are interested in security AND fully automatic provisioning (e.g. brand new phone become configured with no manual intervention) then you need to use SSL-style of provisioning and client side authentication based on phone's embedded certificate

 

 

New Member

 I still have not found how

 

I still have not found how to crack a cfg file even if you know the mac, I guess back to my original question are they crackable?

VIP Gold

Well, I wish I have

Well, I wish I have sufficient knowledge to write the deciphering code. I know the configuration file structure, the encryption algorithm used and algorithm of key derivation.

I'm sure that so many people are sufficiently skilled to discover the same things. It's not so hard to do it. I spent about six hours or so of reverse engineering to discover ...

I don't know how many people completed the task already, of course.  You need to decide it can be considered safe protection for your particular project.

 

Will I proof I can decipher a configuration ? No. I'm not going to make working implementation now.

 

72
Views
0
Helpful
5
Replies
CreatePlease login to create content