No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI Basics

PKI Basics

Public Key Encryption Algorithm

Public key encryption algorithm is also called asymmetric encryption algorithm or double-key encryption algorithm. It uses two keys to encrypt and decrypt data respectively.

Public key encryption algorithm uses a pair of keys, namely, a public key and a private key. The public key can be distributed to any user, and the private key is kept secret by the intended data receiver. Data encrypted using one key can be decrypted only by the other key in the key pair.

RSA Key Pair

The digital certificate system depends on the public key system. The RSA encryption system is most widely used in the PKI.

The RSA uses a pair of asymmetric RSA keys, namely, an RSA public key and an RSA private key. When an entity applies for a digital certificate, the request must contain the RSA public key.

The RSA key length (in bits) equals the modulus of the RSA key. A larger modulus provides stronger key security but it takes a longer time to generate keys, and encrypt or decrypt data using the key pair.

Digital Fingerprint

A digital fingerprint is a digit sequence of a fixed length computed by an algorithm. This digit sequence is also called an information digest and is usually obtained from the original data using a one-way hash algorithm.

Digital Signature

Digital signature is the data that the data sender generates by encrypting the digital fingerprint of the original data using the private key.

The data receiver decrypts the digital signature attached in the original data using the sender's public key to obtain the digital fingerprint. Then the receiver matches the obtained digital fingerprint with that obtained in an outband method and determines whether the original data is tampered according to the match result.

Digital Certificate

A digital certificate is a file that is signed by a CA and contains the public key and identity of an entity.A digital certificate associates the identity of an entity with the public key of the entity, providing the basis for implementing secure communication.A certificate is signed by a CA to ensure its legality and authority.

A certificate contains multiple fields, including the name of a certificate issuer, public key of an entity, digital signature of a CA, and certificate validity period.


This document involves two types of digital certificates: local certificates and CA certificates. A local certificate is issued by a CA to an entity. A CA certificate is issued to a CA itself. If multiple CAs exist in the PKI system, a CA hierarchy is formed. At the top of the hierarchy is a root CA, which has a self-signed certificate.

Certificate Revocation List

When an entity name is changed, a private key is revealed, or a service is ceased, there must be a method to revoke the certificate of the entity, namely, unbind the public key from the identity of the entity. In the PKI, a certificate revocation list (CRL) is used to revoke certificates.

After a certificate is revoked, the CA must issue a CRL to declare that the certificate is invalid. The CRL lists the serial numbers of all revoked certificates. The CRL provides a method to verify certificate validity.

If a CRL lists many revoked certificates, the CRL size is large, which deteriorates the performance of network resources. To avoid this, a CA issues multiple CRLs and uses CRL distribution points (CDPs) to indicate the location of these CRLs.

CRL Distribution Point

A CRL distribution point (CDP) is a location from which a CRL is obtained. It is specified in a digital certificate. A CDP is a uniform resource locator (URL) in the Hypertext Transfer Protocol (HTTP) or Lightweight Directory Access Protocol (LDAP) format, an LDAP directory, or a URL of another type.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14709

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next