About confidential video stream encryption - KiwiVision™ 4.6.1 | Security Center

KiwiVision™ User Guide for Security Center

Applies to
KiwiVision™ 4.6.1 | Security Center
Last updated
Content type
Guides > User guides

To protect a confidential video stream from unauthorized viewing, smart cards with encryption certificates can be used.

Security Center uses asymmetric cryptography to securely encrypt the video data. This is achieved by using public-key encryption.

Public-key encryption, also known as asymmetric encryption, is a type of encryption where two different keys are used to encrypt and decrypt information. The private key is a key that is known only to its owner, while the public key can be shared with other entities on the network. What is encrypted with one key can only be decrypted with the other key.

The public part of the certificate is used to encrypt the video. The private part of the certificate is used to decrypt the video.

Plain text Cypher text Plain text Decryption Encryption Private key Public key

The public part of the smart card certificate is installed on the Archiver server to encrypt the original stream.

The public part of the privacy protection server certificate is installed on the Archiver server to encrypt the stream so that privacy protection can decrypt it.

The certificate auto-generated by Security Center is reused on each server, this ensures that the private part of the certificate is already installed on the server hosting the Privacy Protector™ role. Other certificates can be used but they must be manually deployed to the appropriate server before use.
If a certificate expires it is no longer used for encryption. When there are no valid certificates left, video recording is stopped.
There are three machines involved in privacy protection stream encryption:
  • Archiver and Directory server
  • Privacy Protector™ server
  • Security Desk workstation
Certificate 1 public part Certificate 2 (card) public part Archiver server Privacy Protector server Security Desk client Decrypt the video for viewing Decrypt the video to perform the transformation Encrypt the video Encrypted confidential (private) video stream Unencrypted privacy protected - video stream Certificate 1 private part Certificate 2 (card) part private


The Archiver encrypts the original video stream using the smart card public key and the Windows standard certificate public key. In this situation, the Archiver is unable to decrypt the encrypted video, it only records the encrypted stream.

Auxiliary Archivers can only record the transformed privacy-protected public stream, not the original private (confidential) video stream. The Auxiliary Archiver only has access to the blurred stream and the stream also comes from the Privacy Protector™ role.
IMPORTANT: Activating encryption on the Archiver role for a camera will only encrypt the original stream. Turning on encryption means that the original video stream can no longer be shared.

Privacy Protector™

The Privacy Protector™ decrypts the original video stream encrypted by the Archiver using the Windows standard certificate private key and produces one privacy protected stream that is not encrypted.

Security Desk

Security Desk can display the privacy protected stream without any certificate. However, to see the original stream a smart card with the relevant private key is required.