Devicemaster Lt Security; Understanding Security Methods And Terminology - Comtrol DeviceMaster LT User Manual

Understanding Security Methods and Terminology

Term or
Issue
CA (Client
Authentication
certificate)
Client
Authentication
DH Key Pair
Used by SSL
Servers
† All DeviceMaster LT units are shipped from the factory with identical configurations. They
all have the identical, self-signed, Comtrol Server RSA Certificates, Server RSA Keys, Server
DH Keys, and no Client Authentication Certificates. For maximum data and access security,
you should configure all DeviceMaster LT units with custom certificates and keys.
DeviceMaster LT User Guide: 2000586 Rev. B

DeviceMaster LT Security

This subsection provides a basic understanding of the DeviceMaster LT security
options, and the repercussions of setting these options. See
DeviceMaster LT Security Features
LT security options. See
Page 133 if you want to return the DeviceMaster LT settings to their default
values.
The following table provides background information and definitions.
If configured with a CA certificate, the DeviceMaster LT requires all SSL/TLS
clients to present an RSA identity certificate that has been signed by the
configured CA certificate. As shipped, the DeviceMaster LT is not configured
with a CA certificate and all SSL/TLS clients are allowed.
This uploaded CA certificate that is used to validate a client's identity is
sometimes referred to as a trusted root certificate, a trusted authority
certificate, or a trusted CA certificate. This CA certificate might be that of a
†
trusted commercial certificate authority or it may be a privately generated
certificate that an organization creates internally to provide a mechanism to
control access to resources that are protected by the SSL/TLS protocols.
See Key and Certificate Management
section does not discuss the creation of CA Certificates.
A process using paired keys and identity certificates to prevent unauthorized
access to the DeviceMaster LT. Client authentication is discussed in
Authentication
This is a private/public key pair that is used by some cipher suites to encrypt
the SSL/TLS handshaking messages. Possession of the private portion of the
key pair allows an eavesdropper to decrypt traffic on SSL/TLS connections
that use DH encryption during handshaking.
The DH (Diffie-Hellman) key exchange, also called exponential key exchange,
is a method of digital encryption that uses numbers raised to specific powers
to produce decryption keys on the basis of components that are never directly
transmitted, making the task of a would-be code breaker mathematically
overwhelming.
†
The most serious limitation of Diffie-Hellman (DH key) in its basic or pure
form is the lack of authentication. Communications using Diffie-Hellman all
by itself are vulnerable to
should be used in conjunction with a recognized authentication method such
as digital signatures to verify the identities of the users over the public
communications medium.
See Certificates and Keys
Page 61 for more information.
on Page 131 if you need to reset DeviceMaster
Returning the DeviceMaster LT to Factory Defaults
Explanation
on Page 61 for more information. This
on Page 54 and Changing Keys and Certificates
man in the middle
on Page 54 and
Removing
on Page 64.
attacks. Ideally, Diffie-Hellman
Key and Certificate Management
DeviceMaster LT Security - 45
on
Client
on