No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of PKI

Overview of PKI

This section describes the background and basic concepts of PKI system.

The Public Key Infrastructure (PKI) is a framework that consists of a collection of protocols and cryptographic algorithm suites that authenticates the device that attempts to establish IPSec tunnels between each other.

PKI uses a sum total of the hardware, software, people, processes and policies along with the asymmetric cryptography technology to facilitate the creation of a digital identity, authentication and secure communication between two communicating end parties.

With the development of e-commerce, online banking, and online securities transaction, Internet security becomes increasingly important. Certain people may intercept the plain-text data in applications and launch man-in-the-middle attacks.

For example, as shown in Figure 13-1, peer A attempts to establish an IPSec VPN to peer B, but the attacker intercepts the information sent by peer A to peer B, and acts as peer B to establish the connection with peer A. To ensure security, peer A and peer B must authenticate the identities of each other before establishing a connection.
Figure 13-1 Man-in-the-Middle Attack

In an IPSec VPN, peers are authenticated using pre-shared keys or certificates. A pre-shared key is the key configured on both devices. When one end checks that its key is the same as the key of the other end, they can set up a connection. This authentication mode is easy to configure. On the network deployed with a large number of devices, the pre-shared key needs to be re-configured on all devices when a new device is added to the network. As a result, the configuration workload increases exponentially and is easy to make errors.

To implement authentication on a wide range of devices and reduce middleman attacks, certificates can be used for user authentication in large VPNs. Peers first apply for certificates from the Certificate Authority (CA). Before establishing a VPN, peers attempt to authenticate each other's certificates. The connection between the peers can be established only if both certificates have been authenticated. This effectively prevents middleman attacks.

PKI offers the following benefits:
  • PKI is a secure channel for communication.
  • PKI offers a variety of services like authentication, integrity protection, confidentiality and access control.
  • PKI offers a scalable method to secure networks and simplify the deployment of network infrastructures by enabling security features, including IPSec, Secure Shell (SSH), Secure Socket Layer (SSL) and so on.
  • PKI offers a large scale security compared to the traditional form of authentication like: username and password.
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20036

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next