How does fusion stream encryption work? - Security Center 5.12

Security Center Administrator Guide 5.12

Product
Security Center
Content type
Guides > Administrator guides
Version
5.12
Language
English
Last updated
2024-09-13

The application of fusion stream encryption requires that all client machines authorized to view encrypted data have a private key installed. The private key must match one of the encryption certificates configured on the Archiver.

Two-level encryption

The Archiver uses a two-level encryption strategy to protect the privacy of your data.
  • First-level encryption: The Archiver receives the data stream as plaintext from the camera. Then the Archiver encrypts the data stream using randomly generated symmetric keys that change every minute. The stream of symmetric keys is called the master key stream. The master key stream is the first key needed to unlock the private data. It is shared by all client machines.
  • Second-level encryption: To ensure that only authorized clients can access the master key stream, the Archiver protects it using public-key encryption (see RSA). The Archiver encrypts the master key stream individually for each authorized client, using a public key. Only the client that has the private key (matching the public key) installed can unlock the master key stream (the first key). The private key is the second key needed to unlock the private data. This private key must be kept on the client machine.

The public and private keys are part of an encryption certificate that is created for a specific client. The certificate also identifies the client. To enable encryption, the certificate must be stripped of its private key and handed to the Archiver. The Archiver then takes the public key from the certificate to encrypt the master key stream for that client. For this reason, the encrypted master key stream is called the client-specific key stream.

When the client requests encrypted data, it identifies itself to the Archiver by sending its certificate along with the data request. Based on the certificate, the Archiver knows which client is requesting the data, and sends the corresponding client-specific key stream with the encrypted data stream to the client. Since only the intended client has the matching private key, only the intended client can decrypt the information.

Genetec™ Mobile and Genetec™ Web App cannot directly decrypt fusion streams. When a mobile or web client requests an encrypted video, the Media Gateway role decrypts the fusion stream. The system then transmits the video stream to the requester through the role (Mobile Server or Web App Server) that manages it. This transmission is secured using Transport Layer Security (TLS).
NOTE: To decrypt a fusion stream encrypted video, you must install an encryption certificate with a private key on the server that hosts the Media Gateway role.

Summary

All video that must be protected must first go through the Archiver before it is sent to the requesting client. The Archiver encrypts the video, and sends the requested information bundled in a composite stream called the fusion stream. The fusion stream contains both the encrypted data streams, and their corresponding client-specific key streams.

If the fusion stream is intercepted by an unauthorized party on its way to the intended client, it remains protected because the unauthorized party does not have the private key, and thus cannot decrypt the data contained within.
Best Practice: It is recommended to create the encryption certificate on the client machine that will be requesting to view the video. This limits the exposure of the private key.