Black Box ET0010A User Manual
Using Enhanced Security Features
262
EncrypTight User Guide
●
Strong password enforcement
ETEPs with software version 1.6 or later can be configured to use strong password enforcement. The
conventions used with strong password enforcement are far more stringent than those used with the
default password management. To learn more about strong password enforcement, see
ETEPs with software version 1.6 or later can be configured to use strong password enforcement. The
conventions used with strong password enforcement are far more stringent than those used with the
default password management. To learn more about strong password enforcement, see
.
●
Strict authentication
With strict authentication, all communications between EncrypTight components is authenticated
using certificates. To learn more about strict authentication and using certificates see
With strict authentication, all communications between EncrypTight components is authenticated
using certificates. To learn more about strict authentication and using certificates see
.
●
Hardware Security Module
A hardware security module (HSM) is available as an option for your ETKMSs. HSMs provide
tamper-proof storage for encryption keys and certificates. To learn more about working with an HSM,
see
A hardware security module (HSM) is available as an option for your ETKMSs. HSMs provide
tamper-proof storage for encryption keys and certificates. To learn more about working with an HSM,
see
●
Common Access Cards
EncrypTight supports the use of smart cards such as the Common Access Cards used by the U.S.
Department of Defense. The use of smart cards provides user authorization in addition to certificate-
based authentication. To learn more, see
EncrypTight supports the use of smart cards such as the Common Access Cards used by the U.S.
Department of Defense. The use of smart cards provides user authorization in addition to certificate-
based authentication. To learn more, see
About Strict Authentication
EncrypTight uses the Transport Layer Security (TLS) protocol for secure communication between the
different components of the system (the management workstation, the ETKMS, and the PEPs).
EncrypTight can use either:
different components of the system (the management workstation, the ETKMS, and the PEPs).
EncrypTight can use either:
●
TLS with encryption only
●
TLS with encryption and strict authentication enabled
When strict authentication is enabled, all TLS communications between EncrypTight components is
authenticated using certificates. Authenticating the communications between components provides an
extra level of security. Optionally, you can also set up the system to validate certificates by checking
Certificate Revocation Lists (CRLs) or by using the Online Certificate Status Protocol (OCSP).
authenticated using certificates. Authenticating the communications between components provides an
extra level of security. Optionally, you can also set up the system to validate certificates by checking
Certificate Revocation Lists (CRLs) or by using the Online Certificate Status Protocol (OCSP).
Strict authentication is available for ETEPs with software version 1.6 or later. Strict authentication is
disabled by default. After you install certificates on all of the devices that you are going to use, you can
enable strict authentication.
disabled by default. After you install certificates on all of the devices that you are going to use, you can
enable strict authentication.
CAUTION
Do not enable strict authentication before you install certificates on all of the EncrypTight components.
Doing so can lead to errors and communication failures.
Doing so can lead to errors and communication failures.
A certificate is an electronic document that contains a public key that corresponds to the private key of
the entity named as the subject of the certificate. Certificates can be generated by the entity itself (self-
signed) or they can be issued by a certificate authority (CA). A CA is a trusted organization that
authenticates certificate applications, issues and revokes certificates, and maintains status information
about certificates. CA-signed certificates help establish a chain of trust. Keys and certificates are stored in
an encrypted, password-protected keystore.
the entity named as the subject of the certificate. Certificates can be generated by the entity itself (self-
signed) or they can be issued by a certificate authority (CA). A CA is a trusted organization that
authenticates certificate applications, issues and revokes certificates, and maintains status information
about certificates. CA-signed certificates help establish a chain of trust. Keys and certificates are stored in
an encrypted, password-protected keystore.