74 - DeviceMaster Security DeviceMaster Installation and Configuration Guide: 2000594 Rev. F
SSL Overview
SSL Overview
DeviceMaster SSL provides the following features:
• Provides both encryption and authentication.
- Encryption prevents a third-party eavesdropper from viewing data that is being transferred.
- Authentication allows both the client (that is, web browser) and server (that is. DeviceMaster) to
ensure that only desired parties are allowed to establish connections. This prevents both
unauthorized access and
man-in-the-middle attacks on the communications channel.
• Several slightly different SSL protocols are supported by the DeviceMaster, SSLv3, TLSv1.0, TLS1.1, and
TLS1.2.
• The DeviceMaster uses third-party MatrixSSL library from PeerSec Networks: http://www.peersec.com/
matrixssl.html.
SSL Authentication
DeviceMaster SSL authentication has the following features:
• Authentication means being able to verify the identity of the party at the other end of a communications
channel. A username/password is a common example of authentication.
• SSL/TLS protocols allow authentication using either RSA certificates or DSS certificates. DeviceMaster
supports only RSA certificates.
• Each party (client and server) can present an ID certificate to the other.
• Each ID certificate is signed by another authority certificate or key.
• Each party can then verify the validity of the other's ID certificate by verifying that it was signed by a
trusted authority. This verification requires that each party have access to the certificate/key that was
used to sign the other party's ID certificate.
Server Authentication
Server Authentication is the mechanism by which the DeviceMaster proves its identity.
• The DeviceMaster (generally an SSL server) can be configured by uploading an ID certificate that is to be
presented to clients when they connect to the DeviceMaster.
• The private key used to sign the certificate must also be uploaded to the DeviceMaster.
Note: Possession of that private key will allow eavesdroppers to decrypt all traffic to and from the
DeviceMaster.
• The corresponding public key can be used to verify the ID certificate but not to decrypt traffic.
• All DeviceMaster are shipped from the factory with identical self-signed ID certificates and private keys.
This means that somebody could (with a little effort) extract the factory default private key from the
DeviceMaster firmware and use that private key to eavesdrop on traffic to/from any other DeviceMaster
that is being used with the default private key.
• The public/private key pairs and the ID certificates can be generated using openssl command-line tools.
• If the server authentication certificate in the DeviceMaster is not signed by an authority known to the
client (as shipped, they are not), then interactive SSL clients such as web browsers will generally warn
the user.
• If the name in server authentication certificate does not match the hostname that was used to access the
server, then interactive SSL clients such as web browsers will generally warn the user.
To Next Page
Loading...
