Lantronix 900-598 Network Hardware User Manual


 
PremierWave XC User Guide 95
14: Security in Detail
Public Key Infrastructure
Public Key Infrastructure (PKI) is based on an encryption technique that uses two keys: a public
key and private key. Public keys can be used to encrypt messages which can only be decrypted
using the private key. This technique is referred to as asymmetric encryption, as opposed to
symmetric encryption, in which a single secret key is used by both parties.
TLS (SSL)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use
asymmetric encryption for authentication. In some scenarios, only a server needs to be
authenticated, in others both client and server authenticate each other. Once authentication is
established, clients and servers use asymmetric encryption to exchange a secret key.
Communication then proceeds with symmetric encryption, using this key.
SSH and some wireless authentication methods on the PremierWave XC make use of SSL. The
PremierWave XC supports SSLv2, SSlv3, and TLS1.0.
TLS/SSL application hosts use separate digital certificates as a basis for authentication in both
directions: to prove their own identity to the other party, and to verify the identity of the other party.
In proving its own authenticity, the PremierWave XC will use its own "personal" certificate. In
verifying the authenticity of the other party, the PremierWave XC will use a "trusted authority"
certificate.
In short:
When using EAP-TLS, the PremierWave XC needs a personal certificate with matching
private key to identify itself and sign its messages.
When using EAP-TLS, EAP-TTLS or PEAP, the PremierWave XC needs the authority
certificate(s) that can authenticate those it wishes to communicate with.
Digital Certificates
The goal of a certificate is to authenticate its sender. It is analogous to a paper document that
contains personal identification information and is signed by an authority, for example a notary or
government agency. With digital certificates, a cryptographic key is used to create a unique digital
signature.
Trusted Authorities
A private key is used by a trusted certificate authority (CA) to create a unique digital signature.
Along with this private key is a certificate of authority, containing a matching public key that can
be used to verify the authority's signature but not re-create it.
A chain of signed certificates, anchored by a root CA, can be used to establish a sender's
authenticity. Each link in the chain is certified by a signed certificate from the previous link, with