Encryption options – Cobalt Co9992-4ENC-4K-HEVC Software-Defined Broadcast Encoder User Manual

121

the Cobalt device. However, if you know that one type or another is not in use, you can skip the
authentication files for that type.
ECDSA ciphers are considered more secure than RSA ciphers. A Cobalt device will preferably
select ECDSA ciphers if supported.

RIST Main Profile Encryption and Authentication in Cobalt Devices

This section provides an overview of the encryption and authentication capabilities built into
Cobalt devices. These are provided in the context of RIST Main Profile tunnels. Encryption and
authentication are implemented using the DTLS protocol, which is the datagram version of the
standard TLS protocol used to secure web sites in the Internet.

Encryption options

RIST Tunnels are configured in the

Network

top tab,

RIST Tunnels

bottom tab. The number of

tunnels offered varies by device, and is set to the maximum number of channels that device can
support. For example, since the 9992-ENC encoder can support 4 simultaneous encoding
sessions, it can support up to 4 RIST Tunnels. Encryption is invoked simply by checking the

Encryption

box. Once that box is checked, other options appear, as illustrated in Figure 3. The

device will offer a list of available cipher suites. When negotiating the DTLS connection, it will
accept any of the allowed ciphers. The full name of the offered cipher suites is:



AES128-RSA:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256



AES128-ECDSA:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256



AES256-RSA:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384



AES256-ECDSA:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384



NULL:

TLS_RSA_WITH_NULL_SHA256

The

NULL

cipher provides

no encryption

, only optional authentication, and is disabled by

default. It is provided for testing purposes and its use in production is strongly discouraged.

Figure 3: Configuring Encryption