No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Mechanism

Security Mechanism

The SSL protocol provides three security mechanisms as follows:
  • Identity Authentication: This mechanism uses digital-signed certificates to authenticate a server and a client that attempt to communicate with each other. Client identity authentication is optional.
  • Data Confidentiality: This mechanism uses symmetric cryptography to encrypt data to be transmitted.
  • Message Integrity Check: This mechanism uses a Message Authentication Code (MAC) algorithm to verify message integrity during the transmission.

Identity Authentication

A client must validate the SSL server to ensure that confidential information will not be intercepted. SSL uses a digital signature to authenticate the identities of two communicating parties.

A digital signature can be calculated using an asymmetric cryptography. Data encrypted by a private key can only be decrypted by the matching public key. Therefore, if the receiver successfully decrypts the data, the receiver considers that the sender is authentic. For example, Alice encrypts a piece of information with the private key and sends the information to Bob. Bob decrypts the information using the public key of Alice. If the decrypted information is the same as the piece of information that Alice encrypts, Bob confirms that the information is sent by Alice. This process is called digital signature.

When a digital signature is used to authenticate user identity, the public key of the authenticated party must be valid. Otherwise, unauthorized users can forge the identity of the authenticated party to communicate with the authenticator. Validity of a public key can be ensured by issuing the public key through a digital certificate.

A digital certificate (certificate for short) is a file that binds a public key to a user identity. A certificate is issued by a certificate authority (CA). The CA provides a trusted-CA file when it issues a certificate to prove the CA identity and certificate validity.

When an SSL server or client wants to authenticate the identity of a peer, it must send the certificate obtained from the CA to the peer, and the peer determines certificate validity based on the trusted-CA file. After verifying validity of the certificate, the SSL server or client uses the public key in the certificate to authenticate the peer.

Data Confidentiality

Data transmitted on networks is vulnerable to eavesdropping by unauthorized users. SSL sets up an encryption channel between the two communicating parties to ensure data confidentiality.

Before sending data through an encryption channel, the sender uses an encryption algorithm and key to encrypt the data. After receiving data from an encryption channel, the receiver uses a decryption algorithm and key to obtain the plain text data. Any third-party device without the key cannot obtain the plain text data. Data confidentiality is thereby ensured.

Two types of encryption and decryption cryptography are available:
  • Symmetric cryptography: The devices use the same key to encrypt and decrypt data. This method features fast computing and is generally used to encrypt a large amount of information, for example, all packets between two communicating parties.
  • Asymmetric cryptography: The devices use different keys to encrypt and decrypt data, one public key open to peers and one private key locally kept. Data encrypted using a public (or private) key can only be decrypted using a private (or public) key. This method is typically used to encrypt and decrypt a small amount of information.

SSL uses the key exchange algorithm Rivest Shamir and Adleman (RSA), an asymmetric cryptography, to encrypt the premaster secret randomly generated by the client. The two ends use the premaster secret to generate the key for a symmetric cryptography and then use the symmetric cryptography to encrypt data to be transmitted.

Message Integrity Check

To prevent data transmitted on networks from being modified by unauthorized users, SSL uses the key-based MAC algorithm to ensure message integrity.

A MAC algorithm converts a key and arbitrary-length data into fixed-length data.
  • A sender uses the MAC algorithm and a key to compute a MAC and adds it to the end of the message before sending the message to the receiver.
  • The receiver uses the same key and MAC algorithm to compute a MAC and compares the computed MAC with that in the received message.

If the two MACs are the same, the message has not been tampered with during transmission. If the two MACs are different, the message has been tampered with during transmission, and the receiver will discard this message.

Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 29484

Downloads: 97

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next