No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Concepts of PKI

Basic Concepts of PKI

The core of PKI is digital certificate lifecycle management, including applying for, issuing, and using the digital certificates. During the lifecycle, PKI uses the symmetric key cryptographic, public key cryptographic, digital envelope, and digital signature. Figure 17-1 shows the evolution of these technologies. Users A and B communicate through the Internet, and user C is the attacker who targets the communication data between users A and B.

Figure 17-1  Technology evolution

The concepts mentioned in the figure will be described in later sections.

Cryptography

Cryptography is the basis for secure information transmission on networks. Cryptography is to convert plaintext (to be hidden) into ciphertext (unreadable data) using mathematics.

Symmetric Key Cryptography

Symmetric key cryptography, which is also called shared key cryptography, uses the same key to encrypt and decrypt data.

Figure 17-2 shows the symmetric key encryption and decryption process.

Figure 17-2  Symmetric key encryption and decryption process

Users A and B have negotiated the symmetric key. The encryption and decryption process is as follows:
  1. User A uses the symmetric key to encrypt data and sends the encrypted data to user B.

  2. User B decrypts the data using the symmetric key and gets the original data.

Symmetric key cryptography features high efficiency, simple algorithm, and low cost. It is suitable for encrypting a large amount of data. However, it is difficult to implement because the two parties must exchange their keys securely before communication. Besides, it is difficult to expand because each pair of communicating parties needs to negotiate keys, and n users needs to negotiate n*(n-1)/2 different keys.

The algorithms commonly used in symmetric key cryptography include Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advance Encrypt Standard (AES).

Public Key Cryptography

Public key cryptography, which is also called asymmetric key cryptography, uses different keys (public and private) for data encryption and decryption. The public key is open to public, and the private key is possessed by only the owner.

Public key cryptography prevents the security risks in the distribution and management of a symmetric key. In an asymmetric key pair, the public key is used to encrypt data and the private key is used to decrypt data. The two parties do not need to exchange keys before a secure communication session. The sender uses the public key of the receiver to encrypt the data, and the receiver uses its own private key to decrypt data. The receiver's private key is only known by the receiver, so the data is secure.

Figure 17-3 shows the public key encryption and decryption process.

Figure 17-3  Public key encryption and decryption process

Assume that user A has the public key of user B. The encryption and decryption process is as follows:
  1. User A uses the public key of user B to encrypt data and sends the encrypted data to user B.

  2. User B decrypts the data using its own private key and gets the original data.

Attackers cannot use one key in a key pair to figure out the other key. The data encrypted by a public key can only be decrypted by the private key of the same user. However, the public key cryptography requires a long time to encrypt a large amount of data, and the encrypted data is too long, consuming much bandwidth.

Public key cryptography is suitable for encrypting sensitive information such as keys and identities to provide higher security.

The algorithms commonly used in public key cryptography include Diffie-Hellman (DH), Ron Rivest, Adi Shamirh, LenAdleman (RSA), and Digital Signature Algorithm (DSA).

Digital Envelope and Digital Signature

Digital Envelope

A digital envelope contains the symmetric key encrypted using the peer's public key. When receiving a digital envelope, the receiver uses its own private key to decrypt the digital envelope and obtains the symmetric key.

Figure 17-4 shows the encryption and decryption process for a digital envelope.

Figure 17-4  Digital envelope encryption and decryption process

Assume that user A has the public key of user B. The encryption and decryption process is as follows:

  1. User A uses a symmetric key to encrypt data.
  2. User A uses the public key of user B to encrypt the symmetric key and generate a digital envelope.
  3. User A sends the digital envelope and encrypted data to user B.
  4. User B uses its own private key to decrypt the digital envelope and obtains the symmetric key.
  5. User B uses the symmetric key to decrypt the data and obtains the original data.

The digital envelope has the advantages of both symmetric key cryptography and public key cryptography. It speeds up key distribution and encryption and improves key security, extensibility, as well as efficiency.

However, the digital envelope still has a vulnerability. The attacker may obtain information from user A, use its own symmetric key to encrypt the forged information, use the public key of user B to encrypt its own symmetric key, and send the information to user B. After receiving the information, user B decrypts it and considers that the information is sent from user A. To address this problem, the digital signature is used to ensure that the received information was sent from the correct sender.

Digital Signature

Digital signature is generated by the sender by encrypting the digital fingerprint using its own private key. The receiver uses the sender's public key to decrypt the digital signature and obtain the digital fingerprint.

A digital fingerprint, which is also called information digest, is generated by the sender using the hash algorithm on plaintext information. The sender sends both digital fingerprint and plaintext to the receiver, and the receiver uses the same hash algorithm to calculate the digital fingerprint on the plaintext. If the two fingerprints are the same, the receiver knows that the information has not been tampered with.

Figure 17-5 shows the encryption and decryption process for a digital signature.

Figure 17-5  Digital signature encryption and decryption process

Assume that user A has the public key of user B. The encryption and decryption process is as follows:

  1. User A uses the public key of user B to encrypt data.
  2. User A performs hash on the plaintext and generates a digital fingerprint.
  3. User A uses its own private key to encrypt the digital fingerprint, generating the digital signature.
  4. User A sends both the ciphertext and digital signature to user B.
  5. User B uses the public key of user A to decrypt the digital signature, obtaining the digital fingerprint.
  6. After receiving the ciphertext from user A, user B uses its own private key to decrypt the information, obtaining the plaintext information.
  7. User B performs hash on the plaintext and generates a digital fingerprint.
  8. User B compares the generated fingerprint with the received one. If the two fingerprints are the same, user B accepts the plaintext; otherwise, user B discards it.

The digital signature proves that information is not tampered with and verifies the sender's identity. The digital signature and digital envelope can be used together.

However, the digital signature still has a vulnerability. If the attacker modifies the public key of user B, then user A obtains the attacker's public key. The attacker can obtain information from user B to user A, sign the forged information using its own private key, and send the forged information encrypted using user A's public key to user A. After receiving the encrypted information, user A decrypts the information and verifies that the information has not been tampered with. In addition, user A considers that the information was sent by user B. The digital certificate can fix this vulnerability. It ensures that one public key is possessed by only one owner.

Digital Certificate

A digital certificate, or certificate, which is signed by the trusted certificate authority (CA) using digital signature, includes the certificate owner's public key and identity information.

The digital certificate is similar to the passport or identity card. People are requested to show their passports when entering foreign countries. The digital certificate shows the identity of a device or user that requests to access a network.

It ensures that one public key is possessed by only one owner.

Digital Certificate Structure

An X.509 v3 digital certificate contains mandatory information such as public key, name, and digital signature of the CA, and optional information such as validity period of the key, issuer (CA) name, and serial number. Figure 17-6 shows the typical structure of a digital certificate.

Figure 17-6  Digital certificate structure diagram

Meaning of each field in the digital certificate:

  • Version: version of X.509. Generally, the v3 (0x2) is used.
  • Serial Number: a positive and unique integer assigned by the issuer to the certificate. Each certificate is uniquely identified by the issuer name and the serial number.
  • Signature Algorithm ID: signature algorithm used by the issuer to sign the certificate.
  • Issuer: name of the device that has issued a certificate. It must be the same as the subject name in the digital certificate. Generally, the issuer name is the CA server's name.
  • Validity: time interval during which a digital certificate is valid, including the start and end dates. The expired certificates are invalid.
  • Subject: name of the entity that possesses a digital certificate. In a self-signed certificate, the issuer name is the same as the subject name.
  • Subject Public Key Info: public key and the algorithm with which the key is generated.
  • Extensions: a sequence of optional fields such as key usage and CRL distributing address.
  • Signature: signature signed on a digital certificate by the issuer using the private key.
Digital Certificate Types

There are four types of certificates, as described in Table 17-1.

Table 17-1  Certificate types
Type Definition Description

Self-signed certificate

A self-signed certificate, which is also called root certificate, is issued by an entity to itself. In this certificate, the issuer name and subject name are the same.

If an applicant fails to apply for a local certificate from the CA, it can generate a self-signed certificate. The self-signed certificate issuing process is simple.

A device does not support lifecycle management (such as certificate update and revocation) over its self-signed certificate. To ensure security of the device and certificate, you are advised to replace the self-signed certificate with the local certificate.

CA certificate

CA's own certificate. If a PKI system does not have a hierarchical CA structure, the CA certificate is the self-signed certificate. If a PKI system has a hierarchical CA structure, the top CA is the root CA, which owns a self-signed certificate.

An applicant trusts a CA by verifying its digital signature. Any applicant can obtain the CA's certificate (including the public key) to verify the local certificate issued by the CA.

Local certificate

A certificate issued by a CA to the applicant.

-

Local device certificate

A certificate issued by a device to itself according to the certificate issued by the CA. The issuer name in the certificate is the CA server's name.

If an applicant fails to apply for a local certificate from the CA, it can generate a local device certificate. The local device certificate issuing process is simple.

Certificate Formats

Three certificate formats are supported, as described in Table 17-2.

Table 17-2  Certificate formats
Format Description Description

PKCS#12

Saves certificate files in binary format, including or excluding the private key. The commonly used file name extensions include .P12 and .PFX.

If the file name extension of a certificate is .CER or .CRT, use the Notepad to open this certificate and check the certificate content to differentiate the certificate format.

  • If the certificate starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----", the certificate format is PEM.
  • If the certificate content is displayed as garbled characters, the certificate format is DER.

DER

Saves certificate files in binary format, excluding the private key. The commonly used file name extensions include .DER, .CER, and .CRT.

PEM

Saves certificate files in ASCII format, including or excluding the private key. The commonly used file name extensions include .PEM, .CER, and .CRT.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137202

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next