Ssl overview, Ssl authentication, Server authentication – Comtrol Hub DeviceMaster User Manual
Page 78: Ssl overview ssl authentication
78 - DeviceMaster Security
DeviceMaster Installation and Configuration Guide: 2000594 Rev. A
SSL Overview
SSL Overview
DeviceMaster SSL provides the following features:
•
Provides both encryption and authentication.
-
Encryption prevents a third-party eavesdropper from viewing data that is
being transferred.
-
Authentication allows both the client (that is, web browser) and server
(that is. DeviceMaster) to ensure that only desired parties are allowed to
establish connections. This prevents both unauthorized access and
attacks on the communications channel.
•
Two slightly different SSL protocols are supported by the DeviceMaster,
SSLv3 and TLSv1.
•
The DeviceMaster uses third-party MatrixSSL library from PeerSec
Networks
l.
SSL Authentication
DeviceMaster SSL authentication has the following features:
•
Authentication means being able to verify the identity of the party at the other
end of a communications channel. A username/password is a common example
of authentication.
•
SSL/TLS protocols allow authentication using either RSA certificates or DSS
certificates. DeviceMaster supports only RSA certificates.
•
Each party (client and server) can present an ID certificate to the other.
•
Each ID certificate is signed by another authority certificate or key.
•
Each party can then verify the validity of the other's ID certificate by verifying
that it was signed by a trusted authority. This verification requires that each
party have access to the certificate/key that was used to sign the other party's
ID certificate.
Server
Authentication
Server Authentication is the mechanism by which the DeviceMaster proves its
identity.
•
The DeviceMaster (generally an SSL server) can be configured by uploading
an ID certificate that is to be presented to clients when they connect to the
DeviceMaster.
•
The private key used to sign the certificate must also be uploaded to the
DeviceMaster.
Note: Possession of that private key will allow eavesdroppers to decrypt all
traffic to and from the DeviceMaster.
•
The corresponding public key can be used to verify the ID certificate but not to
decrypt traffic.
•
All DeviceMaster are shipped from the factory with identical self-signed ID
certificates and private keys. This means that somebody could (with a little
effort) extract the factory default private key from the DeviceMaster firmware
and use that private key to eavesdrop on traffic to/from any other
DeviceMaster that is being used with the default private key.
•
The public/private key pairs and the ID certificates can be generated using
openssl command-line tools.
•
If the server authentication certificate in the DeviceMaster is not signed by an
authority known to the client (as shipped, they are not), then interactive SSL
clients such as web browsers will generally warn the user.
•
If the name in server authentication certificate does not match the hostname
that was used to access the server, then interactive SSL clients such as web
browsers will generally warn the user.