Chapter 24 System
USG FLEX H Series User’s Guide
378
24.6 Certificate Overview
The Zyxel Device can use certificates (also called digital IDs) to authenticate users. Certificates are
based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Certificates provide a way to exchange public keys for use in authentication.
24.6.1 What You Need to Know
When using public-key cryptology for authentication, each host has two keys. One key is public and can
be made openly available. The other key is private and must be kept secure.
These keys work like a handwritten signature (in fact, certificates are often referred to as “digital
signatures”). Only you can write your signature exactly as it should look. When people know what your
signature looks like, they can verify whether something was signed by you, or by someone else. In the
same way, your private key “writes” your digital signature and your public key allows people to verify
whether data was signed by you, or by someone else. This process works as follows.
1 Tim wants to send a message to Jenny. He needs her to be sure that it comes from him, and that the
message content has not been altered by anyone else along the way. Tim generates a public key pair
(one public key and one private key).
2 Tim keeps the private key and makes the public key openly available. This means that anyone who
receives a message seeming to come from Tim can read it and verify whether it is really from him or not.
3 Tim uses his private key to sign the message and sends it to Jenny.
4 Jenny receives the message and uses Tim’s public key to verify it. Jenny knows that the message is from
Tim, and that although other people may have been able to read the message, no-one can have
altered it (because they cannot re-sign the message with Tim’s private key).
5 Additionally, Jenny uses her own private key to sign a message and Tim uses Jenny’s public key to verify
the message.
The Zyxel Device uses certificates based on public-key cryptology to authenticate users attempting to
establish a connection, not to encrypt the data that you send after establishing a connection. The
method used to secure the data that you send through an established connection depends on the
type of connection. For example, a VPN tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification
authority’s public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The
Zyxel Device does not trust a certificate if any certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates. A
directory of certificates that have been revoked before the scheduled expiration is called a CRL
(Certificate Revocation List). The Zyxel Device can check a peer’s certificate against a directory server’s
list of revoked certificates. The framework of servers, software, procedures and policies that handles keys
is called PKI (public-key infrastructure).
To Next Page
Loading...
