Certificate Based Authentication

Cisco.corn

CA trusted third party

CA trusted third party

Issue certificates

Terry certificate .

Request \ certificate Alex

Issue certificates

Digital certificates

Request \ certificate Alex

© 2003, Cisco Systems, Inc. All rights reserved.

Alex

Digital certificates are used to authenticate users. They can be used to identify a person, company, or server. They are the equivalent of a passport or driver's license. The following example illustrates how this works:

Step 1 User A and B register separately with the CA:

■ Each user generates a public and private key.

■ Certificate requests are completed by both users and forwarded to the CA.

■ A CA issues separate certificates and digitally signs them with its private key, thereby certifying the authenticity of the user.

Certificates are loaded and verified on both users PCs. Step 2 User A sends the certificate to user B.

Step 3 User B checks the authenticity of the CA signature on the certificate:

The CA public key is used to verify the CA signature on the certificate.

■ If it passes validation, it is safe to assume you are who you say you are; therefore, the message is valid.

Step 4 User B sends the certificate to user A:

The CA public key is used to verify the CA signature on the certificate. When verified, all subsequent communications can be accepted.

Note Certificates are exchanged during the IPSec negotiations.

Eiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiir

Cisco.corn

SECURITY

CA responsibilities:

• Create certificates

• Administer certificates

• Revoke invalid certificates

SECURITY

er i Sign"

Electronic Credentials for the Internet "

© 2003, Cisco Systems, Inc. All rights reserved.

Certification Authorities (CAs) hold the key to the Public Key Infrastructure (PKI). A CA is a trusted third party whose job is to certify the authenticity of users to ensure that you are who you say you are.

The CA digital signature, created with the CA private key, guarantees authenticity. You can verify a digital signature using the CA public key. Only the CA public key can de-crypt the digital certificate. The CA creates, administers, and revokes invalid certificates.

The CA can be a corporate network administrator or a recognized third party. Trusted sources supported by the Cisco VPN 3000 Series Concentrator include the following:

■ Network Associates PGP

■ Microsoft Verisign

Central

Hierarchical

Central

Terry Pat

Hierarchical

Terry Pat

Alex

Terry Pat

© 2003, Cisco Systems, Inc. All rights reserved.

Alex

PKI is the set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. PKI makes it possible to generate and distribute keys within a secure domain and enables CAs to issue keys, associated certificates, and certificate revocation lists (CRLs) in a secure manner. The two PKI models are central and hierarchical authorities:

■ Central—A flat network design. A single authority, root CA, signs all certificates. Each employee who needs a certificate sends a request to the root CA. Small companies with several hundred employees may use central CA.

Hierarchical authority—A tiered approach. The ability to sign a certificate is delegated through a hierarchy. The top of the hierarchy is the root CA. It signs certificates for subordinate authorities. Subordinate CAs sign certificates for lower level CAs or employees. Large geographically dispersed corporations (for example, Cisco Systems) use hierarchical CAs. The root CA is located in San Jose, the company headquarters. Rather than having more than 30,000 employees making certificate requests back to San Jose, subordinate CAs are placed strategically around the world. Local employees request a CA from the local subordinate CA.

Was this article helpful?

0 0

Post a comment