System information
Reference Guide Crestron 2-Series Control System
46 • 2-Series Control Systems Reference Guide – DOC. 6256A
Secure Sockets Layer (SSL)
Introduction
Ethernet-enabled control systems provide built-in support for Secure Sockets Layer
(SSL), the de facto standard for protecting Web-based communication between
clients and servers. SSL is a protocol that provides a secure channel for
communication between two machines. The secure channel is transparent, which
means that it passes the data through, unchanged. The data is encrypted between the
client and the server, but the data that one end writes is exactly what the other end
reads. The SSL protocol uses TCP as the medium of transport.
SSL ensures that the connection between a Web browser and Web server is secure
by providing authentication and encryption. Authentication confirms that servers,
and sometimes clients, are who they say they are. Encryption creates a secure
“tunnel” between the two, which prevents unauthorized access to the system.
The secure tunnel that SSL creates is an encrypted connection that ensures that all
information sent between the client and server remains private. SSL also provides a
mechanism for detecting if someone has altered the data in transit. If at any point
SSL detects that a connection is not secure, it will terminate the connection and the
client and server will have to establish a new, secure connection.
SSL uses both public-key and symmetric-key encryption techniques. Public keys
are a component of public-key cryptographic systems. The sender of a message uses
a public key to encrypt data; the recipient of the message can only decrypt the data
with the corresponding private key. Public keys are known to everybody, while
private keys are secret and only known to the recipient of the message. Since only
the server has access to its private key, only the server can decrypt the information.
This is how the information remains confidential and tamper-proof while in transit
across the network.
An SSL transaction consists of two distinct parts: the key exchange, and the bulk
data transfer. The SSL Handshake Protocol handles key exchange and the SSL
Record Protocol handles the bulk data transfer.
The key exchange (SSL handshake protocol) begins with an exchange of messages
called the SSL handshake. During the handshake, the server authenticates itself to
the client using public-key encryption techniques. Then the client and the server
create a set of symmetric keys that they use during that session to encrypt and
decrypt data and to detect if someone has tampered with the data. Symmetric key
encryption is much faster than public-key encryption, while public-key encryption
provides strong authentication techniques.
Once the key exchange is complete, the client and the server use this session key to
encrypt all communication between them. They do this encryption with a cipher, or
symmetric key encryption algorithm, such as RC4 or DES. This is the function of the
SSL Record Protocol. There are two types of ciphers, symmetric and asymmetric.
Symmetric ciphers require the same key for encryption and decryption, whereas with
asymmetric ciphers, data can be encrypted using a public key, but decrypted using a
private key.
SSL supports a variety of ciphers that it uses for authentication, transmission of
certificates, and establishing session keys. SSL-enabled devices can be configured to
support different sets of ciphers, called cipher suites.