Understanding How Certificates Are Employed

Certificates first found their use in providing strong authentication for applications. When employed in this manner, each application may have a different implementation of the actual authentication process. They all use a similar type of certificate in the X.509 format.

Secure Socket Layer (SSL) is one of the most widely used and most well known means of certificate-based authentication. With the emergence of e-commerce, SSL's ability to negotiate keys that are used to encrypt the SSL session is readily used to secure everything from online purchases to online banking. Among applications that rely on SSL, one of the most widely used is HTTPS. With the availability of SSL, other applications that previously employed lesser forms of authentication with no encryption were modified to use SSL. Among these are such popular applications as Simple Mail Transfer Protocol (SMTP), LDAP, and Post Office Protocol version 3 (POP3).

One of the most important extensions to secure communications is Multipurpose Internet Mail Extension (MIME). MIME allows arbitrary data to be included in an e-mail. A further enhancement (more properly called an "extension") to e-mail focused on providing greater security to entire mail messages or parts of messages. With Secure MIME (S/MIME) you can authenticate and encrypt e-mail messages.

Certificates may also be used at either the network or application layer by network devices. For instance, Cisco routers, Cisco VPN concentrators, and Cisco PIX firewalls can use certificates to authenticate IPsec peers.

End devices and devices connecting to the LAN may be authenticated by Cisco switches. This authentication process employs 802.1X between the adjacent devices and may be proxied to a central access control server (ACS) via Extensible Authentication Protocol with TLS (EAP-TLS). Cisco routers now can use SSL to establish secure TN3270 sessions rather than providing Telnet 3270 support that does not include encryption or strong authentication.

Figure 14-12 shows certificates being used for various purposes within a network. As you can see, a single CA server may facilitate a number of different applications that require digital certificates for authentication purposes. Using CA servers in these instances provides a solution that simplifies the management of the authentication process. It also provides significant security based on the cryptographic mechanisms used in combination with digital certificates.

Figure 14-12 Applying Certificates

External Web Server

Internet Mail Server

Figure 14-12 Applying Certificates

External Web Server

Internet Mail Server

VPN Concentrator

• Certificates can be used for various purposes.

• One CA server can be used for all types of authentication as long as all types support the same PKI procedures.

VPN Concentrator

• Certificates can be used for various purposes.

• One CA server can be used for all types of authentication as long as all types support the same PKI procedures.

0 0

Post a comment