Certificate Mgmt - ZyXEL Communications Vantage CNM 2.0 User Manual

Vantage CNM 2.0
LABEL
Cancel

18.6 Certificate Mgmt

18.6.1 Certificates Overview – ZyXEL device
The ZyXEL device can use certificates (also called digital IDs) to authenticate users. Certificates are based on
public-private key pairs. A certificate contains the certificate owner's identity and public key. Certificates
provide a way to exchange public keys for use in authentication.
A Certification Authority (CA) issues certificates and guarantees the identity of each certificate owner. There are
commercial certification authorities like CyberTrust or VeriSign and government certification authorities. You
can use the ZyXEL device to generate certification requests that contain identifying information and public keys
and then send the certification requests to a certification authority.
In public-key encryption and decryption, each host has two keys. One key is public and can be made openly
available; the other key is private and must be kept secure. Public-key encryption in general works as follows.
1. Tim wants to send a private message to Jenny. Tim generates a public key pair. What is encrypted with one
key can only be decrypted using the other.
2. Tim keeps the private key and makes the public key openly available.
3. Tim uses his private key to encrypt the message and sends it to Jenny.
4. Jenny receives the message and uses Tim's public key to decrypt it.
5. Additionally, Jenny uses her own private key to encrypt a message and Tim uses Jenny's public key to decrypt
the message.
The ZyXEL device uses certificates based on public-key cryptology to authenticate users attempting to establish
a connection, not to encrypt the data that you send after establishing a connection. The method used to secure the
data that you send through an established connection depends on the type of connection. For example, a VPN
tunnel might use the triple DES encryption algorithm.
The certification authority uses its private key to sign certificates. Anyone can then use the certification
authority's public key to verify the certificates.
A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL
device does not trust a certificate if any certificate on its path has expired or been revoked.
Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory
of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation
List). The ZyXEL device can check a peer's certificate against a directory server's list of revoked certificates.
The framework of servers, software, procedures and policies that handles keys is called PKI (public-key
infrastructure).
18.6.2 Advantages of Certificates
Certificates offer the following benefits.
The ZyXEL device only has to store the certificates of the certification authorities that you decide to trust, no
matter how many devices you need to authenticate.
Key distribution is simple and very secure since you can freely distribute public keys and you never need to
transmit private keys.
18-14
Table 18-14 System > Address Book Add/Edit
Click Cancel to return to the previous screen.
DESCRIPTION
Other System Screens