beautypg.com

Technical overview, Public keys, Message encryption – Allied Telesis AT-S63 User Manual

Page 579: Digital signatures, Public keys message encryption digital signatures

background image

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

579

Technical Overview

The public key infrastructure (PKI) feature is part of the switch’s suite of
security modules, and consists of a set of tools for managing and using
certificates. The tools that make up the PKI allow the switch to securely
exchange public keys, while being sure of the identity of the key holder.

The switch acts as an End Entity (EE) in a certificate-based PKI. More
specifically, the switch can communicate with Certification Authorities
(CAs) and Certificate Repositories to request, retrieve and verify
certificates.The switch allows protocols running on the switch, such as
ISAKMP, access to these certificates. The following sections of this
chapter summarize these concepts and describe the switch’s
implementation of them.

Public Keys

Public key encryption involves the generation of two keys for each user,
one private and one public. Material encrypted with a private key can
only be decrypted with the corresponding public key, and vice versa. An
individual’s private key must be kept secret, but the public key may be
distributed as widely as desired, because it is impossible to calculate the
private key from the public key. The advantage of public key encryption
is that the private key need never be exchanged, and so can be kept
secure more easily than a shared secret key.

Message

Encryption

One of the two main services provided by public key encryption is the
exchange of encrypted messages. For example, user 1 can send a secure
message to user 2 by encrypting it with user 2’s public key. Only user 2
can decrypt it, because only user 2 has access to the corresponding
private key.

Digital

Signatures

The second main service provided by public key encryption is digital
signing. Digital signatures both confirm the identity of the message’s
supposed sender and protect the message from tampering. Therefore
they provide message authentication and non-repudiation. It is very
difficult for the signer of a message to claim that the message was
corrupted, or to deny that it was sent.

Both the exchange of encrypted messages and digital signatures are
secure only if the public key used for encryption or decryption belongs
to the message’s expected recipient. If a public key is insecurely
distributed, it is possible a malicious agent could intercept it and replace
it with the malicious agent’s public key (the Man-in-the-Middle attack).
To prevent this, and other attacks, PKI provides a means for secure
transfer of public keys by linking an identity and that identity’s public
key in a secure certificate.