No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of SSL

Overview of SSL


The Secure Sockets Layer (SSL) protocol uses data encryption, identity authentication, and message integrity check to ensure security of TCP-based application layer protocols.

SSL is a cryptographic protocol that provides communication security over the Internet. It allows a client and a server to communicate in a way designed to prevent eavesdropping. The server must be authenticated by the client before they start to communicate, and the client can also be authenticated by the server. SSL is widely used in ecommerce and online banking. It has the following advantages:

  • High security: SSL ensures secure data transmission by using data encryption, identity authentication, and message integrity check.
  • Support for various application layer protocols: SSL was originally designed to secure World Wide Web traffic. SSL functions between the application layer and the transport layer, so it can provide security for any TCP-based application.
  • Easy to deploy: SSL has become a world-wide communications standard used to authenticate websites and web users, and to encrypt data transmitted between browser users and web servers.

SSL improves device security using the following functions:

  • Allows only authorized users to connect to servers.
  • Encrypts data transmitted between a client and a server to secure data transmission and computes a digest to ensure data integrity.
  • Defines an access control policy on a device based on certificate attributes to control access rights of clients. This access control policy prevents unauthorized users from attacking the device.

Basic Concepts

  • Certificate Authority (CA)

    A CA is an entity that issues, manages, and abolishes digital certificates. A CA checks validity of digital certificate owners, signs digital certificates to prevent eavesdropping and tampering, and manages certificates and keys. A world-wide trusted CA is called a root CA. The root CA can authorize other CAs as subordinate CAs. The CA identities are described in a trusted-CA file.

    In the certificate issuing process, CA1 functions as the root CA and issues a certificate for CA2, and CA2 issues a certificate for CA3. The process repeats until CAn issues the final server certificate.

    In the certificate authentication process, the client first authenticates the server's certificate. If CA3 issues the server certificate, the client uses CA3 certificate to authenticate the server certificate. If the server certificate is authenticated, the client uses CA2 certificate to authenticate the CA3 certificate. After CA2 certificate is authenticated, the client uses CA1 certificate to authenticate CA2 certificate. The client considers the server certificate valid only when CA2 certificate has been authenticated.

    Figure 17-1 shows the certificate issuing and authentication processes.

    Figure 17-1  Certificate issuing and authentication
  • Digital certificate

    A digital certificate is an electronic document issued by a CA to bind a public key with a certificate subject (an applicant that has obtained a certificate). Information in a digital certificate includes the applicant name, public key, digital signature of the CA that issues the digital certificate, and validity period of the digital certificate. A digital certificate verifies the identities of two communicating parties, improving communication reliability.

    A user must obtain the public key certificate of the information sender to decrypt and authenticate information in the certificate. The user also needs the CA certificate of the information sender to verify the identity of the information sender.

  • Certificate Revocation List (CRL)

    A CRL is issued by a CA to specify certificates that have been revoked.

    Each certificate has a validity period. A CA can issue a CRL to revoke certificates before their validity periods expire. The validity period of a certificate specified in the CRL is shorter than the original validity period of the certificate. If a CA revokes a digital certificate, the key pair defined in the certificate cannot be used. After a certificate in a CRL expires, the certificate is deleted from the CRL to shorten the CRL.

    Information in a CRL includes the issuer and serial number of each certificate, the issuing date of the CRL, certificate revocation date, and time when the next CRL will be issued.

    Clients use CRLs to check validity of certificates. When verifying a server's digital certificate, a client checks the CRL. If the certificate is in the CRL, the client considers the certificate invalid.

Security Mechanisms

SSL provides the following security mechanisms:

  • Connection privacy

    SSL uses symmetric cryptography to encrypt data. It uses the Rivest-Shamir-Adleman (RSA) algorithm (an asymmetric algorithm) to encrypt the key used by the symmetric cryptography.

  • Identity authentication

    Digital certificates are used to authenticate a server and a client that need to communicate with each other. The SSL server and client use the mechanism provided by the public key infrastructure (PKI) to apply to a CA for a certificate.

  • Message integrity

    A keyed message authentication code (MAC) is used to verify message integrity during transmission.

    A MAC algorithm computes a key and data of an arbitrary length to generate a MAC of a fixed length.

    • A message sender uses a MAC algorithm and a key to compute a MAC, appends it to a message, and send the message to a receiver.
    • The receiver uses the same key and MAC algorithm to compute a MAC and compares it with the MAC in the received message.

    If the two MACs are the same, the message has not been tampered during transmission. If the two MACs are different, the message has been tampered, and the receiver discards this message.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 127538

Downloads: 231

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next