Encryption
Compliance and Policy Control for File Transfer and Screen Capture
If you send file transfers and screen captures using the Managed file transfer option on Cisco Unified Communications Manager IM and Presence 10.5(2) or later, you can send the files to a compliance server for audit and policy enforcement.
For more information about compliance, see the Instant Messaging Compliance for IM and Presence Service on Cisco Unified Communications Manager guide.
For more information about configuring file transfer and screen capture, see the Cisco Unified Communications Manager IM and Presence Deployment and Installation Guide.
Instant Message Encryption
Cisco Jabber uses Transport Layer Security (TLS) to secure Extensible Messaging and Presence Protocol (XMPP) traffic over the network between the client and server. Cisco Jabber encrypts point to point instant messages.
On-Premises Encryption
The following table summarizes the details for instant message encryption in on-premises deployments.
Connection |
Protocol |
Negotiation Certificate |
Expected Encryption Algorithm |
---|---|---|---|
Client to server |
XMPP over TLS v1.2 |
X.509 public key infrastructure certificate |
AES 256 bit |
Server and Client Negotiation
The following servers negotiate TLS encryption with Cisco Jabber using X.509 public key infrastructure (PKI) certificates with the following:
-
Cisco Unified Communications Manager IM and Presence
-
Cisco Unified Communications Manager
After the server and client negotiate TLS encryption, both the client and server generate and exchange session keys to encrypt instant messaging traffic.
The following table lists the PKI certificate key lengths for Cisco Unified Communications Manager IM and Presence Service.
Version |
Key Length |
---|---|
Cisco Unified Communications Manager IM and Presence Service versions 9.0.1 and higher |
2048 bit |
XMPP Encryption
Cisco Unified Communications Manager IM and Presence Service uses 256-bit length session keys that are encrypted with the AES algorithm to secure instant message traffic between Cisco Jabber and the presence server.
If you require additional security for traffic between server nodes, you can configure XMPP security settings on Cisco Unified Communications Manager IM and Presence Service. See the following for more information about security settings:
-
Cisco Unified Communications Manager IM and Presence Service—Security configuration on IM and Presence
Instant Message Logging
You can log and archive instant messages for compliance with regulatory guidelines. To log instant messages, you either configure an external database or integrate with a third-party compliance server. Cisco Unified Communications Manager IM and Presence Service does not encrypt instant messages that you log in external databases or in third party compliance servers. You must configure your external database or third party compliance server as appropriate to protect the instant messages that you log.
See the following for more information about compliance:
-
Cisco Unified Communications Manager IM and Presence Service—Instant Messaging Compliance for IM and Presence Service
For more information about encryption levels and cryptographic algorithms, including symmetric key algorithms such as AES or public key algorithms such as RSA, see Next Generation Encryption at this link https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html.
For more information about X.509 public key infrastructure certificates, see the Internet X.509 Public Key Infrastructure Certificate and CRL Profile document at this link https://www.ietf.org/rfc/rfc2459.txt.
Cloud-Based Encryption
The following table summarizes the details for instant message encryption in cloud-based deployments:
Connection |
Protocol |
Negotiation Certificate |
Expected Encryption Algorithm |
---|---|---|---|
Client to server |
XMPP within TLS |
X.509 public key infrastructure certificate |
AES 128 bit |
Client to client |
XMPP within TLS |
X.509 public key infrastructure certificate |
AES 256 bit |
Server and Client Negotiation
The following servers negotiate TLS encryption with Cisco Jabber using X.509 public key infrastructure (PKI) certificates with the Webex Messenger service.
After the server and client negotiate TLS encryption, both the client and server generate and exchange session keys to encrypt instant messaging traffic.
XMPP Encryption
The Webex Messenger service uses 128-bit session keys that are encrypted with the AES algorithm to secure instant message traffic between Cisco Jabber and the Webex Messenger service.
You can optionally enable 256-bit client-to-client AES encryption to secure the traffic between clients.
Instant Message Logging
The Webex Messenger service can log instant messages, but it does not archive those instant messages in an encrypted format. However, the Webex Messenger service uses stringent data center security, including SAE-16 and ISO-27001 audits, to protect the instant messages that it logs.
The Webex Messenger service cannot log instant messages if you enable AES 256 bit client-to-client encryption.
For more information about encryption levels and cryptographic algorithms, including symmetric key algorithms such as AES or public key algorithms such as RSA, see Next Generation Encryption at this link https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html.
For more information about X.509 public key infrastructure certificates, see the Internet X.509 Public Key Infrastructure Certificate and CRL Profile document at this link https://www.ietf.org/rfc/rfc2459.txt.
Client-to-Client Encryption
By default, instant messaging traffic between the client and the Cisco WebEx Messenger service is secure. You can optionally specify policies in the Cisco WebEx Administration Tool to secure instant messaging traffic between clients.
-
Support AES Encoding For IM—Sending clients encrypt instant messages with the AES 256-bit algorithm. Receiving clients decrypt instant messages.
-
Support No Encoding For IM—Clients can send and receive instant messages to and from other clients that do not support encryption.
Policy Combination |
Client-to-Client Encryption |
When the Remote Client Supports AES Encryption |
When the Remote Client Does not Support AES Encryption |
---|---|---|---|
Support AES Encoding For IM = false Support No Encoding For IM = true |
No |
Cisco Jabber sends unencrypted instant messages. Cisco Jabber does not negotiate a key exchange. As a result, other clients do not send Cisco Jabber encrypted instant messages. |
Cisco Jabber sends and receives unencrypted instant messages. |
Support AES Encoding For IM = true Support No Encoding For IM = true |
Yes |
Cisco Jabber sends and receives encrypted instant messages. Cisco Jabber displays an icon to indicate instant messages are encrypted. |
Cisco Jabber sends encrypted instant messages. Cisco Jabber receives unencrypted instant messages. |
Support AES Encoding For IM = true Support No Encoding For IM = false |
Yes |
Cisco Jabber sends and receives encrypted instant messages. Cisco Jabber displays an icon to indicate instant messages are encrypted. |
Cisco Jabber does not send or receive instant messages to the remote client. Cisco Jabber displays an error message when users attempt to send instant messages to the remote client. |
Note |
Cisco Jabber does not support client-to-client encryption with group chats. Cisco Jabber uses client-to-client encryption for point-to-point chats only. |
For more information about encryption and Cisco WebEx policies, see About Encryption Levels in the Cisco WebEx documentation.
Encryption Icons
Review the icons that the client displays to indicate encryption levels.
Lock Icon for Client to Server Encryption
In both on-premises and cloud-based deployments, Cisco Jabber displays the following icon to indicate client to server encryption:
Lock Icon for Client to Client Encryption
In cloud-based deployments, Cisco Jabber displays the following icon to indicate client to client encryption:
Local Chat History
Chat history is retained after participants close the chat window and until participants sign out. If you do not want to retain chat history after participants close the chat window, set the Disable_IM_History parameter to true. This parameter is available to all clients except IM-only users.
For on-premises deployment of Cisco Jabber for Mac, if you select the Save chat archives to: option in the Chat Preferences window of Cisco Jabber for Mac, chat history is stored locally in the Mac file system and can be searched using Spotlight.
Cisco Jabber does not encrypt archived instant messages when local chat history is enabled.
For desktop clients, you can restrict access to chat history by savings archives to the following directories:
-
Windows, %USERPROFILE%\AppData\Local\Cisco\Unified Communications\Jabber\CSF\History\uri.db
-
Mac: ~/Library/Application Support/Cisco/Unified Communications/Jabber/CSF/History/uri.db.
For mobile clients, the chat history files are not accessible.