Lantronix PremierWave XC PremierWave XC - User Guide - Page 95

: Security in Detail, Public Key Infrastructure, TLS (SSL), Digital Certificates

Get Lantronix PremierWave XC PDF manuals and user guides View all Lantronix PremierWave XC manuals
Add to My Manuals
Save this manual to your list of manuals

Page 95 highlights

14: Security in Detail Public Key Infrastructure Public Key Infrastructure (PKI) is based on an encryption technique that uses two keys: a public key and private key. Public keys can be used to encrypt messages which can only be decrypted using the private key. This technique is referred to as asymmetric encryption, as opposed to symmetric encryption, in which a single secret key is used by both parties. TLS (SSL) Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use asymmetric encryption for authentication. In some scenarios, only a server needs to be authenticated, in others both client and server authenticate each other. Once authentication is established, clients and servers use asymmetric encryption to exchange a secret key. Communication then proceeds with symmetric encryption, using this key. SSH and some wireless authentication methods on the PremierWave XC make use of SSL. The PremierWave XC supports SSLv2, SSlv3, and TLS1.0. TLS/SSL application hosts use separate digital certificates as a basis for authentication in both directions: to prove their own identity to the other party, and to verify the identity of the other party. In proving its own authenticity, the PremierWave XC will use its own "personal" certificate. In verifying the authenticity of the other party, the PremierWave XC will use a "trusted authority" certificate. In short:  When using EAP-TLS, the PremierWave XC needs a personal certificate with matching private key to identify itself and sign its messages.  When using EAP-TLS, EAP-TTLS or PEAP, the PremierWave XC needs the authority certificate(s) that can authenticate those it wishes to communicate with. Digital Certificates The goal of a certificate is to authenticate its sender. It is analogous to a paper document that contains personal identification information and is signed by an authority, for example a notary or government agency. With digital certificates, a cryptographic key is used to create a unique digital signature. Trusted Authorities A private key is used by a trusted certificate authority (CA) to create a unique digital signature. Along with this private key is a certificate of authority, containing a matching public key that can be used to verify the authority's signature but not re-create it. A chain of signed certificates, anchored by a root CA, can be used to establish a sender's authenticity. Each link in the chain is certified by a signed certificate from the previous link, with PremierWave XC User Guide 95

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
PremierWave XC User Guide
95
14: Security in Detail
Public Key Infrastructure
Public Key Infrastructure (PKI) is based on an encryption technique that uses two keys: a public
key and private key.
Public keys can be used to encrypt messages which can only be decrypted
using the private key.
This technique is referred to as asymmetric encryption, as opposed to
symmetric encryption, in which a single secret key is used by both parties.
TLS (SSL)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use
asymmetric encryption for authentication. In some scenarios, only a server needs to be
authenticated, in others both client and server authenticate each other. Once authentication is
established, clients and servers use asymmetric encryption to exchange a secret key.
Communication then proceeds with symmetric encryption, using this key.
SSH and some wireless authentication methods on the PremierWave XC make use of SSL. The
PremierWave XC supports SSLv2, SSlv3, and TLS1.0.
TLS/SSL application hosts use separate digital certificates as a basis for authentication in both
directions: to prove their own identity to the other party, and to verify the identity of the other party.
In proving its own authenticity, the PremierWave XC will use its own "personal" certificate. In
verifying the authenticity of the other party, the PremierWave XC will use a "trusted authority"
certificate.
In short:
When using EAP-TLS, the PremierWave XC needs a personal certificate with matching
private key to identify itself and sign its messages.
When using EAP-TLS, EAP-TTLS or PEAP, the PremierWave XC needs the authority
certificate(s) that can authenticate those it wishes to communicate with.
Digital Certificates
The goal of a certificate is to authenticate its sender. It is analogous to a paper document that
contains personal identification information and is signed by an authority, for example a notary or
government agency. With digital certificates, a cryptographic key is used to create a unique digital
signature.
Trusted Authorities
A private key is used by a trusted certificate authority (CA) to create a unique digital signature.
Along with this private key is a certificate of authority, containing a matching public key that can
be used to verify the authority's signature but not re-create it.
A chain of signed certificates, anchored by a root CA, can be used to establish a sender's
authenticity.
Each link in the chain is certified by a signed certificate from the previous link, with