<div dir="ltr">This is one of the concepts I'd raised yesterday, generating a nonce using a unique value that only the vendor and the phone knows (i.e. a serial number, or in future phones, TPM/RSA module). However if the keys are ever compromised, then this would be rendered useless. Encryption is also good, but relies on a strong password which is difficult to type in on a phone and removes the concept of zero touch.<div>
<br></div><div>To be honest, I don't think zero touch is going to be feasible if we want to keep security, because you are trusting that the keys stored at <vendors provisioning system here> haven't been compromised. One touch would be a much better solution (there have been some great suggestions on that so far).</div>
<div><br></div><div>Cal</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Oct 24, 2013 at 4:17 PM, Moishe Grunstein <span dir="ltr"><<a href="mailto:max@nysolutions.com" target="_blank">max@nysolutions.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I wonder if Yealink phones have a certificate that can verify the MAC address being provisioned, the way the newer Snom do.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://wiki.snomone.com/index.php?title=Plug_and_Play_for_snom_phones#Pairing_the_phone_with_snom_ONE" target="_blank">http://wiki.snomone.com/index.php?title=Plug_and_Play_for_snom_phones#Pairing_the_phone_with_snom_ONE</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399">Moishe Grunstein<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399">Tornado Computer Systems, Inc.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399"><a href="tel:212.400.7650" value="+12124007650" target="_blank">212.400.7650</a> <a href="http://888.IPPBX.US" target="_blank">888.IPPBX.US</a><br>
</span><b><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#76923c">Service Request Email: <a href="mailto:support@nysolutions.com" target="_blank">support@nysolutions.com</a> </span></b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#333399"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";color:#333399">Polycom Certified VAR<br>Microsoft Small Business Specialist, Cisco SMB Select Certified</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#333399"><u></u><u></u></span></p>
<p class="MsoNormal"><a href="http://www.nysolutions.com/" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d;text-decoration:none"><img border="0" width="147" height="68" src="cid:image001.jpg@01CED0A9.B4D65980" alt="cid:image001.jpg@01C72F94.9EE45D60"></span></a><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#c0504d">Computer Networking * Managed Services * IP Video Surveillance * Network Assessments * Web Solutions * Voice over IP * Disaster Recovery * Network Security * Site Surveys * CMS</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>
</div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> <a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [mailto:<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a>] <b>On Behalf Of </b>Moshe3t<br>
<b>Sent:</b> Thursday, October 24, 2013 10:47 AM<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @ 1PM Eastern<u></u><u></u></span></p>
</div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi <br><br>I would suggest (I have Bcc'd Yealink as well) that as they have when a phone is reset to factory default it pops up on the screen of the phone local network option (DHCP/Static) and modifiable via phone keypad it should also ask encrypted provisioning or not and if encrypted is chosen it should let the end user put in the decryption key via phone keypad which will be available on the website of the provisioning server (assuming the its secure as in most cases might hold sip credes as well) so the end user will be able to setup and auto provision their phone without login to the phone web gui (ok! it won't zero touch it will be 1 touch provisioning, as if the doesn't have to touch the phone at all ;-) ) <br>
<br>before submitting this approach to any vendors i would like to hear input and make sure the issue is addressed properly and hear if anyone have a better approach to fix this issue globally (at least with Yealink line ofproduct as they seem to be very cooperative and understanding in general especially when it comes to security, in hopes other companies will follow suit) <br>
<br>Sincerely <br><br><br>Moshe BT<br><br><br><br><br>On 10/24/2013 10:05 AM, Ken Rice wrote:<u></u><u></u></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><p class="MsoNormal" style="margin-bottom:12.0pt">
<span style="font-size:11.0pt;font-family:"Courier New"">The video has been marked private at vendor request...<br><br><br>On 10/24/13 2:11 AM, "Gerald Weber" <<a href="http://gerald.weber@besharp.at" target="_blank">gerald.weber@besharp.at</a>> wrote:</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks, but youtube says this video is private.<br> <br></span><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="http://freeswitch-users-bounces@lists.freeswitch.org" target="_blank">freeswitch-users-bounces@lists.freeswitch.org</a> [<a href="mailto:freeswitch-users-bounces@lists.freeswitch.org" target="_blank">mailto:freeswitch-users-bounces@lists.freeswitch.org</a>] <b>Im Auftrag von </b>Cal Leeming [Simplicity Media Ltd]<br>
<b>Gesendet:</b> Mittwoch, 23. Oktober 2013 23:38<br><b>An:</b> FreeSWITCH Users Help<br><b>Cc:</b> <a href="http://freeswitch-dev@lists.freeswitch.org" target="_blank">freeswitch-dev@lists.freeswitch.org</a>; <a href="http://freeswitch-cluecon@lists.freeswitch.org" target="_blank">freeswitch-cluecon@lists.freeswitch.org</a><br>
<b>Betreff:</b> Re: [Freeswitch-users] [Special Announcement] ClueCon Weekly Special Security Edition! Wed Oct 23rd @ 1PM Eastern<br></span><br><span style="font-size:11.0pt;font-family:"Courier New""><br></span>For those that missed it, you can watch the whole thing here;<br>
<span style="font-size:11.0pt;font-family:"Courier New""><br></span><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="http://www.youtube.com/watch?v=raXkHi_uGF8" target="_blank">http://www.youtube.com/watch?v=raXkHi_uGF8</a></span><u></u><u></u></p>
<p class="MsoNormal"><u><span style="font-size:11.0pt;font-family:"Courier New";color:#888888"><br></span></u><span style="font-size:11.0pt;font-family:"Courier New"">-- <br>Ken<br><a href="http://www.FreeSWITCH.org" target="_blank">http://www.FreeSWITCH.org</a><br>
<a href="http://www.ClueCon.com" target="_blank">http://www.ClueCon.com</a><br><a href="http://www.OSTAG.org" target="_blank">http://www.OSTAG.org</a><br>G+ ClueCon : <a href="http://fs0.us/cluecon-gplus" target="_blank">http://fs0.us/cluecon-gplus</a><br>
FB ClueCon : <a href="http://fs0.us/cluecon-fb" target="_blank">http://fs0.us/cluecon-fb</a><br>G+ FreeSwitch : <a href="http://fs0.us/freeswitch-gplus" target="_blank">http://fs0.us/freeswitch-gplus</a><br>FB FreeSWITCH : <a href="http://fs0.us/freeswitch-fb" target="_blank">http://fs0.us/freeswitch-fb</a> <br>
Twitter : @FreeSWITCH_WIRE<br><a href="http://irc.freenode.net" target="_blank">irc.freenode.net</a> #freeswitch<br></span><br><br><br><u></u><u></u></p><pre>_________________________________________________________________________<u></u><u></u></pre>
<pre>Professional FreeSWITCH Consulting Services:<u></u><u></u></pre><pre><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><u></u><u></u></pre><pre><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><u></u><u></u></pre>
<pre><u></u> <u></u></pre><pre>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<u></u><u></u></pre><pre><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><u></u><u></u></pre><pre><u></u> <u></u></pre>
<pre>Official FreeSWITCH Sites<u></u><u></u></pre><pre><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><u></u><u></u></pre><pre><a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><u></u><u></u></pre>
<pre><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><u></u><u></u></pre><pre><u></u> <u></u></pre><pre>FreeSWITCH-users mailing list<u></u><u></u></pre><pre><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><u></u><u></u></pre>
<pre><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><u></u><u></u></pre><pre>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><u></u><u></u></pre>
<pre><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><u></u><u></u></pre></blockquote><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>