Filter
Top Products
xSenso User Guide 109
19: Security in Detail
Public Key Infrastructure
Public key infrastructure (PKI) is based on an encryption technique that uses two keys: a public
key and private key. Public keys can be used to encrypt messages which can only be decrypted
using the private key. This technique is referred to as asymmetric encryption, as opposed to
symmetric encryption, in which a single secret key is used by both parties.
TLS (SSL)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), use asymmetric
encryption for authentication. In some scenarios, only a server needs to be authenticated, in
others both client and server authenticate each other. Once authentication is established, clients
and servers use asymmetric encryption to exchange a secret key. Communication then proceeds
with symmetric encryption, using this key.
SSH and some wireless authentication methods on the xSenso make use of SSL. The xSenso
supports SSLv2, SSlv3, and TLS1.0.
TLS/SSL application hosts use separate digital certificates as a basis for authentication in both
directions: to prove their own identity to the other party, and to verify the identity of the other party.
In proving its own authenticity, the xSenso will use its own "personal" certificate. In verifying the
authenticity of the other party, the xSenso will use a "trusted authority" certificate.
In short:
When using EAP-TLS, the xSenso needs a personal certificate with matching private key to
identify itself and sign its messages.
When using EAP-TLS, EAP-TTLS or PEAP, the xSenso needs the authority certificate(s) that
can authenticate those it wishes to communicate with.
Digital Certificates
The goal of a certificate is to authenticate its sender. It is analogous to a paper document that
contains personal identification information and is signed by an authority, for example a notary or
government agency. With digital certificates, a cryptographic key is used to create a unique digital
signature.
Trusted Authorities
A private key is used by a trusted certificate authority (CA) to create a unique digital signature.
Along with this private key is a certificate of authority, containing a matching public key that can be
used to verify the authority's signature but not re-create it.
A chain of signed certificates, anchored by a root CA, can be used to establish a sender's
authenticity. Each link in the chain is certified by a signed certificate from the previous link, with
the exception of the root CA. This way, trust is transferred along the chain, from the root CA