© 2003 - 2005 Sipura Technology, Inc
Proprietary (See Copyright Notice on Page 2)
86
User Interface
The SPA can be set up such that all outbound calls are secure calls by default, or not secure by
default. If outbound calls are secure by default, user has the option to disable security when making
the next call by dialing *19 before dialing the target number. If outbound calls are not secure by
default, user has the option to make the next outbound call secure by dialing *18 before dialing the
target number. On the other hand, user cannot force inbound calls to be secure or not secure; it is at
the mercy of the caller whether he/she enables security or not for that call.
If the call successfully switches to the secure mode, both parties will hear the “Secure Call Indication
Tone” for a short while and the CID will be updated with the Name and Number extracted from the
Mini-Certificate sent by the other party, provided CIDCW service and equipment are available: the
CID Name in this case will have a ‘$’ sign inserted at the beginning. The callee should check the
name and number again to ensure the identity of the caller. The caller should also double check the
name and number of the callee to make sure this is what he/she expects. Note that the SPA will not
switch to secure mode if the callee’s CID Number from its Mini-Certificate does not agree with the
user-id used in making the outbound call: the caller’s SPA will perform this check after receiving the
callee’s Mini-Certificate.
Service Provider Requirements
The SPA Mini-Certificate (MC) has a 512-bit public key used for establishing secure calls. The
administrator must provision each subscriber of the secure call service with an MC and the
corresponding 512-bit private key. The MC is signed with a 1024-bit private key of the service
provider who acts as the CA of the MC. The 1024-bit public key of the CA signing the MC must also
be provisioned to each subscriber. The CA public key is used by the SPA to verify the MC received
from the other end. If the MC is invalid, the SPA will not switch to secure mode. The MC and the
1024-bit CA public key are concatenated and base64 encoded into the single parameter <Mini
Certificate>. The 512-bit private key is base64 encoded into the <SRTP Private Key> parameter,
which should be hidden from the SPA’s web interface like a password.
Since the secure call establishment relies on exchange of information embedded in message bodies
of SIP INFO requests/responses, the service provider must maker sure that their infrastructure will
allow the SIP INFO messages to pass through with the message body unmodified.
Sipura provides a configuration tool called gen_mc for the generation of MC and private keys with the
following syntax:
gen_mc <ca-key> <user-name> <user-id> <expire-date>
Where:
- ca-key is a text file with the base64 encoded 1024-bit CA private/public key pairs for
signing/verifying the MC, such as
9CC9aYUEBZmi3AmcqE9U1LxEOGwopaGyGOh3VyhKgi6JaVtQZt87PiJINKW8XQj3B9Qq
e3VgYxWCQNa335YCnDsenASeBxuMIEaBCYd1l1fVEodJZOGwXwfAde0MhcbD0kj7LVlzcsTyk2TZ
YTccnZ75TuTjj13qvYs=
5nEtOrkCa84/mEwl3D9tSvu/Hd+C8u5SNk7hsAUZaA9TqH8Iw0J/IqSrsf6scsmundY5j7Z5m
K5J9uBxSB8t8vamFGD0pF4zhNtbrVvIXKI9kmp4vph1C5jzO9zjypf
GUfrpAuXb7/k=
- user-name is the name of the subscriber, such as “Joe Smith”. Maximum length is 32 characters
- user-id is the user-id of the subscriber and must be exactly the same as the user-id used in the
INVITE when making the call, such as “14083331234”. Maximum length is 16 characters.
- expire-date is the expiration date of the MC, such as “00:00:00 1/1/34” (34=2034). Internally the
date is encoded as a fixed 12B string: 000000010134
