[go: up one dir, main page]
Scribd
Upload
149 views3 pages

Fusion Stream Encryption

Fusion stream encryption works by encrypting video streams from cameras in two levels. First, the video stream is encrypted with randomly generated symmetric keys. Second, the symmetric keys are encrypted using public key encryption and individual keys for each authorized client. When a client requests video, the archiver sends a fusion stream containing the encrypted video and the client's encrypted symmetric keys which only that client can decrypt using its private key. This ensures that only authorized clients can view the encrypted video streams.

Uploaded by

Lê Khắc Hưng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
149 views3 pages

Fusion Stream Encryption

Fusion stream encryption works by encrypting video streams from cameras in two levels. First, the video stream is encrypted with randomly generated symmetric keys. Second, the symmetric keys are encrypted using public key encryption and individual keys for each authorized client. When a client requests video, the archiver sends a fusion stream containing the encrypted video and the client's encrypted symmetric keys which only that client can decrypt using its private key. This ensures that only authorized clients can view the encrypted video streams.

Uploaded by

Lê Khắc Hưng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Fusion stream encryption

How does fusion stream encryption work?


The application of fusion stream encryption requires that all client machines authorized to view encrypted
data have a private key installed. The private key must match one of the encryption certificates configured on
the Archiver.

Two-level encryption

The Archiver uses a two-level encryption strategy to protect the privacy of your data.
• First-level encryption: The Archiver receives the data stream as plaintext from the camera. Then the
Archiver encrypts the data stream using randomly generated symmetric keys that change every minute.
The stream of symmetric keys is called the master key stream. The master key stream is the first key needed
to unlock the private data. It is shared by all client machines.
• Second-level encryption: To ensure that only authorized clients can access the master key stream, the
Archiver protects it using public key encryption (see RSA). The Archiver encrypts the master key stream
individually for each authorized client, using a public key. Only the client that has the private key (matching
the public key) installed can unlock the master key stream (the first key). The private key is the second key
needed to unlock the private data. This private key must be kept on the client machine.
The public and private keys are part of an encryption certificate that is created for a specific client. The
certificate also identifies the client. To enable encryption, the certificate must be stripped of its private key
and handed to the Archiver. The Archiver then takes the public key from the certificate to encrypt the master
key stream for that client. For this reason, the encrypted master key stream is called the client-specific key
stream.
When the client requests encrypted data, it identifies itself to the Archiver by sending its certificate along
with the data request. Based on the certificate, the Archiver knows which client is requesting the data, and
sends the corresponding client-specific key stream with the encrypted data stream to the client. Since only
the intended client has the matching private key, only the intended client can decrypt the information.

Summary

All video that must be protected must first go through the Archiver before it is sent to the requesting client.
The Archiver encrypts the video, and sends the requested information bundled in a composite stream called
the fusion stream. The fusion stream contains both the encrypted data streams, and their corresponding
client-specific key streams.

If the fusion stream is intercepted by an unauthorized party on its way to the intended client, it remains
protected because the unauthorized party does not have the private key, and thus cannot decrypt the data
contained within.
BEST PRACTICE: It is recommended to create the encryption certificate on the client machine that will be
requesting to view the video. This limits the exposure of the private key.

Related Topics
Preventing users from viewing encrypted data on a specific machine on page 488
Authorizing a new client to view all data from an encrypted camera on page 491

techdocs.genetec.com | Security Center Administrator Guide 5.10


EN.500.003-V5.10.0.0(1) | Last updated: March 9, 2021  480
Fusion stream encryption

Fusion stream encryption scenarios


When a client machine requests a data stream (video, audio, metadata) from an encrypted camera, the
Archiver sends a fusion stream containing all the information the client needs, and only what it needs.

Scenario setup

You want all video and audio from Camera-1 to be encrypted. You want Client A and Client B (workstations)
to have access. First you request and install an encryption certificate on each of them. Then, you enable the
encryption on the Archiver in charge of Camera-1, using the certificates you obtained for Client A and Client
B.
The following diagram illustrates your setup with Client B requesting video from Camera-1.

What happens when encryption is enabled


• Motion detection by Archiver on Camera-1 is disabled.
• Multicast from Camera-1 is disabled.
• The Archiver generates a fusion stream for archiving, which includes (see illustration):
• One encrypted video stream.
• One client-specific key stream so Client A can decrypt the video stream.
• One client-specific key stream so Client B can decrypt the video stream.
• One encrypted audio stream.
• One client-specific key stream so Client A can decrypt the audio stream.
• One client-specific key stream so Client B can decrypt the audio stream.

Scenario: Client B requests only video from Camera-1


• Client B sends a request for video from Camera-1 to Archiver, with its encryption certificate.
• The Archiver responds by sending a fusion stream to Client B, which includes (see illustration):
• Encrypted video stream.
• Client-specific key stream for Client B to decrypt the video.

Scenario: Client B requests both video and audio from Camera-1


• Client B sends a request for video and audio from Camera-1 to Archiver, with its encryption certificate.
• The Archiver responds by sending a fusion stream to Client B, which includes:
• Encrypted video stream.
• Client-specific key stream for Client B to decrypt the video.
• Encrypted audio stream.
• Client-specific key stream for Client B to decrypt the audio.

techdocs.genetec.com | Security Center Administrator Guide 5.10


EN.500.003-V5.10.0.0(1) | Last updated: March 9, 2021  481
Fusion stream encryption

Performance impact of fusion stream encryption


Fusion stream encryption impacts the performance of the Archiver and the Security Desk workstations. You
may need to reevaluate the type and number of machines you need if you plan on enabling this feature.

Encryption impact on Archiver performance

The first encryption certificate enabled on the Archiver reduces the capacity of the Archiver by 30%. Each
additional encryption certificate applied to all cameras further reduces the Archiver capacity by 4%.
For example, on an Archiver that supports 300 cameras without encryption:

Number of certificates enabled Number of supported cameras

0 encryption certificates (no encryption) 300 cameras

1 encryption certificate 210 cameras

5 encryption certificates 178 cameras

10 encryption certificates 145 cameras

20 encryption certificates 96 cameras

BEST PRACTICE: Do not exceed 20 encryption certificates per Archiver.

Encryption impact on workstation performance

Video encryption can increase the CPU usage by up to 40% when viewing low-resolution video (CIF). The
impact becomes less noticeable as the resolution of the video increases, because much more processing
power is spent on decoding the video than on decrypting the video. The impact on performance becomes
unnoticeable when viewing HD and Ultra-HD video.

techdocs.genetec.com | Security Center Administrator Guide 5.10


EN.500.003-V5.10.0.0(1) | Last updated: March 9, 2021  482

You might also like