Devicemaster Security; Understanding Security Methods And Terminology - Comtrol DeviceMaster DM-2000 Series Installation And Configuration Manual

DeviceMaster Security

This subsection provides a basic understanding of the DeviceMaster security options, and the repercussions of
setting these options. See
DeviceMaster security options. See
return the DeviceMaster settings to their default values.

Understanding Security Methods and Terminology

The following table provides background information and definitions.
If configured with a CA certificate, the DeviceMaster requires all SSL/TLS clients to present
an RSA identity certificate that has been signed by the configured CA certificate. As shipped,
the DeviceMaster is not configured with a CA certificate and all SSL/TLS clients are allowed.
This uploaded CA certificate that is used to validate a client's identity is sometimes referred
CA (Client
to as a trusted root certificate, a trusted authority certificate, or a trusted CA certificate. This
Authentication
CA certificate might be that of a trusted commercial certificate authority or it may be a
†
certificate)
privately generated certificate that an organization creates internally to provide a
mechanism to control access to resources that are protected by the SSL/TLS protocols.
See Key and Certificate Management
discuss the creation of CA Certificates.
A process using paired keys and identity certificates to prevent unauthorized access to the
Client
DeviceMaster. Client authentication is discussed in
Authentication
Changing Keys and Certificates
This is a private/public key pair that is used by some cipher suites to encrypt the SSL/TLS
handshaking messages. Possession of the private portion of the key pair allows an
eavesdropper to decrypt traffic on SSL/TLS connections that use DH encryption during
handshaking.
The DH (Diffie-Hellman) key exchange, also called exponential key exchange, is a method of
digital encryption that uses numbers raised to specific powers to produce decryption keys on
the basis of components that are never directly transmitted, making the task of a would-be
DH Key Pair
code breaker mathematically overwhelming.
Used by SSL
†
Servers
The most serious limitation of Diffie-Hellman (DH key) in its basic or pure form is the lack of
authentication. Communications using Diffie-Hellman all by itself are vulnerable to
the middle
authentication method such as digital signatures to verify the identities of the users over the
public communications medium.
See Certificates and Keys
more information.
† All DeviceMaster units are shipped from the factory with identical configurations. They all have the
identical, self-signed, Comtrol Server RSA Certificates, Server RSA Keys, Server DH Keys, and no Client
Authentication Certificates. For maximum data and access security, you should configure all DeviceMaster
units with custom certificates and keys.
DeviceMaster Installation and Configuration Guide: 2000594 Rev. F
Removing DeviceMaster Security Features
Returning the DeviceMaster to Factory Defaults
Term or Issue Explanation
on Page 86.
attacks. Ideally, Diffie-Hellman should be used in conjunction with a recognized
on Page 75 and
on Page 169 if you need to reset
on Page 83 for more information. This section does not
Client Authentication
Key and Certificate Management
on Page 171 if you want to
on Page 75 and
man in
on Page 83 for
DeviceMaster Security - 65