Certificate Management Overview; Advantages Of Certificates - ZyXEL Communications Centralized Network Management Vantage CNM User Manual

Chapter 21 CNM System Setting

21.7 Certificate Management Overview

Some devices can provide certificates (also called digital IDs) for users to authenticate the
device. Certificates are based on public-private key pairs. A certificate contains the certificate
owner's identity and public key. Certificates provide a way to exchange public keys for use in
authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each
certificate owner. There are commercial certification authorities like CyberTrust or VeriSign
and government certification authorities. You can use the device to generate certification
requests that contain identifying information and public keys and then send the certification
requests to a certification authority.
In public-key encryption and decryption, each host has two keys. One key is public and can be
made openly available; the other key is private and must be kept secure. Public-key encryption
in general works as follows.
1 Tim wants to send a private message to Jenny. Tim generates a public key pair. What is
encrypted with one key can only be decrypted using the other.
2 Tim keeps the private key and makes the public key openly available.
3 Tim uses his private key to encrypt the message and sends it to Jenny.
4 Jenny receives the message and uses Tim's public key to decrypt it.
5 Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny's
public key to decrypt the message.
The device uses certificates based on public-key cryptology to authenticate users attempting to
establish a connection, not to encrypt the data that you send after establishing a connection.
The method used to secure the data that you send through an established connection depends
on the type of connection. For example, a VPN tunnel might use the triple DES encryption
algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the
certification authority's public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a
certificate. The device does not trust a certificate if any certificate on its path has expired or
been revoked.
Certification authorities maintain directory servers with databases of valid and revoked
certificates. A directory of certificates that have been revoked before the scheduled expiration
is called a CRL (Certificate Revocation List). The device can check a peer's certificate against
a directory server's list of revoked certificates. The framework of servers, software, procedures
and policies that handles keys is called PKI (public-key infrastructure).

21.7.1 Advantages of Certificates

The device only has to store the certificates of the certification authorities that you decide to
trust, no matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public keys and you
never need to transmit private keys.
308
Vantage CNM User's Guide