Authentication, Public key infrastructure, Public keys – Allied Telesis AT-S63 User Manual

Chapter 34: PKI Certificates and SSL

792

Section VIII: Management Security

Authentication

Authentication is the process of ensuring that both the web site and the
end user are genuine. In other words, they are not imposters. Both the
server and an individual users need to be authenticated. This is especially
important when transmitting secure data over the Internet.

To verify the authenticity of a server, the server has a public and private
key. The public key is given to the user.

SSL uses certificates for authentication. A certificate binds a public key to
a server name. A certification authority (CA) issues certificates after
checking that a public key belongs to its claimed owner. There are several
agencies that are trusted to issue certificates. Individual browsers have
approved Root CAs that are built in to the browser.

Public Key

Infrastructure

The public key infrastructure (PKI) feature is part of the switch’s suite of
security modules, and consists of a set of tools for managing and using
certificates. The tools that make up the PKI allow the switch to securely
exchange public keys, while being sure of the identity of the key holder.

The switch acts as an End Entity (EE) in a certificate-based PKI. More
specifically, the switch can communicate with Certification Authorities
(CAs) and Certificate Repositories to request, retrieve and verify
certificates.The switch allows protocols running on the switch, such as
ISAKMP, access to these certificates. The following sections of this
chapter summarize these concepts and describe the switch’s
implementation of them.

Public Keys

Public key encryption involves the generation of two keys for each user,
one private and one public. Material encrypted with a private key can only
be decrypted with the corresponding public key, and vice versa. An
individual’s private key must be kept secret, but the public key may be
distributed as widely as desired, because it is impossible to calculate the
private key from the public key. The advantage of public key encryption is
that the private key need never be exchanged, and so can be kept secure
more easily than a shared secret key.

Message

Encryption

One of the two main services provided by public key encryption is the
exchange of encrypted messages. For example, user 1 can send a secure
message to user 2 by encrypting it with user 2’s public key. Only user 2
can decrypt it, because only user 2 has access to the corresponding
private key.

Digital Signatures

The second main service provided by public key encryption is digital
signing. Digital signatures both confirm the identity of the message’s
supposed sender and protect the message from tampering. Therefore
they provide message authentication and non-repudiation. It is very
difficult for the signer of a message to claim that the message was
corrupted, or to deny that it was sent.