Authentication options, Authentication security model – Cobalt Co9992-4ENC-4K-HEVC Software-Defined Broadcast Encoder User Manual
Page 122
122
The –RSA ciphers (and the NULL cipher) use RSA keys and certificates, and the –ECDSA
ciphers use ECDSA keys and certificates.
The actual cipher to be finally used when the tunnel is established is negotiated at connection
time, and is reported in the DashBoard GUI. Please note that if the tunnel endpoints are
configured in such a way that there is no allowed common cipher, the tunnel will fail to connect.
If the
Authentication
checkbox in Figure 3 is not checked, the device will agree to connect to
any other device (regardless of whether it actively starts the connection as a client, or it waits to
be contacted as a server). The communication will still be encrypted.
Authentication Options
All Cobalt devices with RIST Main Profile support include the following:
A built-in Certificate Authority (CA), which includes a key and the corresponding
certificate.
A built-in RSA key and corresponding certificate, signed by the built-in CA.
A built-in ECDSA key and corresponding certificate, signed by the built-in CA.
Internal certificates are generated with a 10-year duration. At boot time, the device will always
check if the certificates are expired or not yet valid, and will re-generate new certificates if this is
the case. However, when using authentication, it is very important to have a valid date/time in
the device. All Cobalt devices support NTP synchronization.
Cobalt devices offer the following features (available independently for RSA and ECDSA
modes):
Users can upload new key/certificate pairs for the device to use.
Users can obtain CSRs derived from the built-in device keys.
Users can upload a CSR, have it signed by the local CA, and download the corresponding
certificates.
Users can upload new certificates matching the built-in keys.
Users can back-up and restore the local CA key.
Users can download the local CA and encryption certificates.
While authentication can be individually enabled/disabled in a per-tunnel basis (by using the
Authentication
checkbox shown in Figure 3), the keys and certificates are shared between all
tunnels.
Authentication Security Model
Authentication involves the use of two interfaces:
The DashBoard GUI is used to configure the authentication parameters.
A web interface is used to move files in and out of the device.
The security model assumes that the DashBoard interface is secured – i.e., the network where
DashBoard communication is happening is a secure network and no further security measures
are needed.
The web interface requires a password to complete all operations that involve uploading a file to
the device. The web interface can also be enabled or disabled on individual network interfaces.
If the device has a management port, the web interface is always available on this port.