Specifications
DOCSIS 1.1 for Cisco uBR905 and Cisco uBR925 Cable Access Routers and Cisco CVA122 Cable Voice Adapters
Information About DOCSIS 1.1 Support
8
Cisco IOS Release 12.2(15)CZ
–
Issuer certificate authority (CA) name and signature—Provide a way of verifying that the
certificate and keys have not been altered.
A DOCSIS 1.1 cable modem contains two digital certificates programmed into it at the factory: a
cable modem certificate that uniquely identifies it, and a manufacturing certificate that identifies the
cable modem’s manufacturer (in this case, Cisco Systems).
• Public and private keys—Keys used to sign and verify the certificate. The cable modem uses its
private key to sign its digital certificate to create an unforgeable digital signature that identifies the
signer. Other entities, such as the CMTS, use the public key to unsign and verify the certificate. For
security, the cable modem never transmits or displays its private key, but the public key is included
as part of the certificate to allow for its verification.
Note The cable modem’s private and public keys are never changed after being programmed at the
factory.
• Digital signature—Created when a private key signs a digital certificate. The digital signature
becomes part of the certificate, allowing the CMTS to verify that the certificate came from the cable
modem claiming to have issued it.
• Certificate authority (CA)—To prevent users from creating their own certificates and private key and
public key pairs, each certificate is also signed by an issuing CA. After the CMTS verifies a digital
certificate with the cable modem’s public key, it then verifies that the certificate has been properly
signed by the issuing CA. This process continues until the CMTS can verify the certificate against
a known and trusted CA (typically the root CA).
• Root CA—A known and trusted CA that serves as the ultimate verification for a digital certificate.
For DOCSIS 1.1 cable modems, the root CA is the DOCSIS Root CA certificate, which is available
from Verisign at http://www.verisign.com/products/cable/root.html. The root CA is self-signed,
which does not present a security problem because it is originating at a known and trusted source.
• DOCSIS root code signing CA—Similar to the Root CA but used to verify the digital certificates
that are used whenever a DOCSIS 1.1 cable modem downloads new software code.
During BPI+ initialization, the cable modem sends both of its signed digital certificates, the cable
modem certificate (CMC) and the manufacturer’s certificate (MC), to the CMTS. The CMTS verifies the
cable modem certificate against the manufacturer’s certificate, and then verifies the manufacturer’s
certificate against the DOCSIS Root CA certificate. This chain of verifications ensures that the CMTS
can securely identify and authenticate each cable modem.
In addition, the CMTS can check the certificates against a Hot List of invalid certificates. The Hot List,
which can be maintained by trusted authorities, such as a service provider or CA, can list certificates for
individual cable modems that might have been stolen, hacked, or otherwise compromised. The list can
also contain manufacturer’s certificates for models of cable modems that the service provider does not
support.
If all certificate verifications are successful, the CMTS begins the public key exchange process, which
allows data encryption and decryption to begin.
Public Key Exchange
The secure use of X.509 digital certificates depends on both the cable modem and the CMTS possessing
the proper encryption and decryption keys. For security and flexibility, DOCSIS 1.1 uses a dual-key
public key exchange: the first set of keys, key encryption key (KEK), are used to encrypt and transmit
the second set of keys, traffic encryption key (TEK), which are then used to encrypt and decrypt data.