Encryption

Any host may be configured to use the encrypted messages. When this is selected, a private key must be selected and configured in the router, and at the host. When the connection is made, the router will generate a random, 8 byte session key, encrypt the session key using DES and the private key, and send the encrypted session key. To allow for checking, the session key is sent doubled, as a 16 byte string. For example, if the key was ABCDEFGH, ABCDEFGHABCDEFGH would be sent as a 16 byte encrypted string to the host. The host should decrypt this using the session key, verify that the first 8 bytes are the same as the last 8 bytes. If this check fails, the connection should be rejected.

All tagged fields in subsequent QUERY_REQ and QUERY_RESP messages will be encrypted and decrypted using this 8 byte session key. Each tagged field will be padded with nulls until it is a multiple of 8 bytes long, and encrypted. The tagged field sent will always be a multiple of 8 bytes. After decryption, the trailing nulls must be counted and removed in order to compute the true length of the string, if necessary.

Any tagged field that does not decrypt to a valid ASCII string will be treated as an error, and ignored.

Transport Layer Security (TLS) Security

The application gateway interface supports TLS based security mechanism. For more information, refer to Security Guide for Cisco Unified ICM/Contact Center Enterprise.