EDS-MD® Medical Device Server User Guide
69
10: Security Settings
The EDS-MD device supports Secure Shell (SSH) and Secure Sockets Layer (SSL). SSH is a
network protocol for securely accessing a remote device. SSH provides a secure, encrypted
communication channel between two hosts over a network. It provides authentication and
message integrity services.
Secure Sockets Layer (SSL) is a protocol that manages data transmission security over the
Internet. It uses digital certificates for authentication and cryptography against eavesdropping and
tampering. It provides encryption and message integrity services. SSL is widely used for secure
communication to a web server. SSL uses certificates and private keys.
Note:
The device supports SSLv3 and its successors, TLS1.0 and TLS1.1. An incoming
SSLv2 connection attempt is answered with an SSLv3 response. If the initiator also
supports SSLv3, SSLv3 handles the rest of the connection.
Public Key Infrastructure
Public key infrastructure (PKI) is based on an encryption technique that uses two keys: a public
key and private key. Public keys can be used to encrypt messages which can only be decrypted
using the private key. This technique is referred to as asymmetric encryption, as opposed to
symmetric encryption, in which a single secret key is used by both parties.
TLS (SSL)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use asymmetric
encryption for authentication. In some scenarios, only a server needs to be authenticated, in
others both client and server authenticate each other. Once authentication is established, clients
and servers use asymmetric encryption to exchange a secret key. Communication then proceeds
with symmetric encryption, using this key.
SSH and some authentication methods on the EDS-MD device servers make use of SSL. The
EDS-MD 4/8/16 unit supports SSLv2, SSLv3, and TLS1.0.
TLS/SSL application hosts use separate digital certificates as a basis for authentication in both
directions: to prove their own identity to the other party, and to verify the identity of the other party.
In proving its own authenticity, the EDS-MD device servers will use its own "personal" certificate.
In verifying the authenticity of the other party, the EDS-MD devices will use a "trusted authority"
certificate.
In short:
When using EAP-TLS, the EDS-MD device server needs a personal certificate with matching
private key to identify itself and sign its messages.
When using EAP-TLS, EAP-TTLS or PEAP, the EDS-MD unit needs the authority certificate(s)
that can authenticate those it wishes to communicate with.