System information

ManualsBrandsCrestron ManualsComputer equipmentCP3N

Reference Guide Crestron 3-Series Control Systems

38 • 3-Series Control Systems Reference Guide – DOC. 7150A

The encryption algorithms and the key lengths supported in the 3-Series processor

are as follows:

Supported Encryption Algorithms and Key Lengths for 3-Series Processors

NAME TYPE

SESSION KEY

LENGTHS (BITS)

IN/OUT

DES Symmetric 40 or 56 DES

3DES Symmetric 168 3DES

RC2 Symmetric 40 RC2

RC4 Symmetric 40 or 128 RC4

AES Symmetric 128 or 256 AES

RSA Asymmetric 1024 RSA

SSL-enabled clients and servers confirm each other’s identities using digital

certificates. Digital certificates are issued by trusted third-party enterprises called

Certificate Authorities (CA). From the certificate, the sender can verify the

recipient's claimed identity and recover their public key. By validating digital

certificates, both parties can ensure that an imposter has not intercepted a

transmission and provided a false public key for which they have the correct private

key.

A CA-signed certificate provides several important capabilities for a web server:

• Browsers automatically recognize the certificate and allow a secure

connection to be made, without prompting the user. (If a browser

encounters a certificate whose authorizing CA is not in its list of trusted

CAs, the browser prompts the user to accept or decline the connection.)

• When a CA issues a signed certificate, they are guaranteeing the identity of

the organization that is providing the web pages to the browser.

Alternatively, self-signed certificates can be generated for secure web servers, but

self-signed certificates do not provide the same functionality as CA-signed

certificates. Browsers do not automatically recognize a self-signed certificate; and a

self-signed certificate does not provide any guarantee concerning the identity of the

organization that is providing the server.

There are various Certificate Authorities, notable among them being Thawte and

Verisign. For a fee, a CA investigates the organization hosting the server and issues a

certificate vouching for the identity of the server. The procedure for

obtaining/enrolling for a CA-signed certificate varies with each CA and is described

on their websites (i.e.,

www.thawte.com or www.verisign.com). However, all CAs

require a Certificate Signing Request (CSR). The CSR can be copied and pasted to

the online enrollment form or sent via e-mail to the CA, along with any other

pertinent information the CA requires. The CA then issues the certificate, usually via

e-mail. The Crestron Toolbox provides all the certificate management tools

necessary to generate a CSR and upload the certificate to the 3-Series processor.

The CA-signed certificate is an ASCII “base64” encoded text (*.cer) file, which the

3-Series processor converts to a binary file called \\SYS\srv_cert.der. As a part of the

CSRprocess, a private key is also created as \\SYS\srv_key.der. It is extremely

important to back up the private key, as it is unique to each CSR. If the private key is

lost the certificate is useless and it would be necessary to begin the enrollment

process all over again.

Here is a description of an SSL transaction:

1. The browser sends a request for an SSL session to the web server.