Filter
Top Products
Encrypted Files on the IP Phone
41-001343-02 REV04 – 05.2014 7-2
Encrypted Files on the IP Phone
An encryption feature for the IP phone allows Service Providers the capability of storing encrypted files on their server to
protect against unauthorized access and tampering of sensitive information (i.e., user accounts, login passwords, registra-
tion information). Service Providers also have the capability of locking a phone to use a specific server-provided configura-
tion only.
Configuration File Encryption Method
Only a System Administrator can encrypt the configurations files for an IP Phone. System Administrators use a password
distribution scheme to manually pre-configure or automatically configure the phones to use the encrypted configuration
with a unique key.
From a Microsoft Windows command line, the System Administrator uses an Aastra-supplied configuration file encryption
tool called "anacrypt.exe" to encrypt the <mac>.tuz file.
This tool processes the plain text <mac>.cfg, <model>.cfg, and aastra.cfg files and creates triple-DES encrypted versions
called <mac>.tuz, <model>.tuz, and aastra.tuz. Encryption is performed using a secret password that is chosen by the
administrator.
The encryption tool is also used to create an additional encrypted tag file called security.tuz, which controls the decryption
process on the IP phones. If security.tuz is present on the TFTP/FTP/HTTP server, the IP phones download it and use it
locally to decrypt the configuration information from the aastra.tuz and <mac>.tuz files. Because only the encrypted ver-
sions of the configuration files need to be stored on the server, no plain-text configuration or passwords are sent across
the network, thereby ensuring security of the configuration data.
To make changes to the configuration files, the System Administrator must save the original files.
The security feature described above prevents unauthorized parties from reading or writing the contents of the
<MAC>.tuz file. It also provides the following:
• Prevents users from using the <MAC>.tuz file that does not match the user’s phone MAC address.
• Renders the <MAC>.tuz file invalid if the user renames the file.
• Works with IP phone releases prior to Release 2.2.
• Provides compatibility between the previous encryption routine and the new decryption routine.
Note:
Aastra also supplies encryption tools to support Linux platforms (anacrypt.linux) if required.
Note:
If the use of encrypted configuration files is enabled (via security.tuz or pre-provisioned on the IP phone) the aastra.cfg,
<model>.cfg, and <mac>.cfg files are ignored, and only the encrypted equivalent files aastra.tuz, <model>.tuz, and
<mac>.tuz are read.