Table of Contents
Advertisement
Installation & Operation Manual
33.10
X.509 Public Key Infrastructure
X.509 is an ITU-T standard for Public Key Infrastructure (PKI). The X.509 standard
was adapted to the Internet by the IETF PKIX working group (RFC 3280) and is
currently the most widely used PKI standard that is utilized by many security
applications, including SIP/TLS, HTTPS (SSL) and IPSEC/IKE.
The X.509 standard is typically used by applications that perform Public Key
cryptography, also known as Asymmetric cryptography. The latter is a form of
cryptography in which a user has a pair of cryptographic keys – a Public Key and a
Private Key. The Private Key is kept secret, while the Public Key may be widely
distributed. These keys are related mathematically; however, the Private Key can not
be practically derived from the Public Key. A message encrypted with the Public Key
can be decrypted only with the Private Key.
X.509 Public Key infrastructure uses Certificates to bind together a Public Key with an
identity information, such as the name of the person or organization and their address.
The Certificates are distributed between the participating parties and can be used to
verify that the Public Key belongs to an individual.
In a typical PKI scheme, Certificates are issued by a Certificate Authority (CA) and
provide an attestation by the certificate signer (CA) that the identity information and
the public key belong together. CAs are organized in a structured hierarchical system
that represents the trust relationships between them.
Each party has a list of Trusted Root Certificates – certificates of the CAs (or their
roots) that are well-known and trusted by the party. When the certificate from the other
party is received, its signing entity (CA) is compared with the Trusted Root Certificates
list and if the match is found, the certificate is accepted.
In the Mediant 8000 Media Gateway, X.509 Certificates are used by the following
applications:
SIP/TLS – for secure SIP call control messaging.
HTTPS (SSL) – for internal communication between the SC and the Media
Gateway boards (e.g. for online provisioning of Auxiliary Files) and for secure
access to the Media Gateway board's advanced status summary via WEB
interface.
IPSEC/IKE – for secure MGCP/MEGACO call control messaging; X.509
Certificates may be used as an alternative to pre-shared key authentication
mode.
The Mediant 8000 Media Gateway uses the following files to implement X.509 Public
Key Infrastructure:
Private Key File – contains a private key that is used to perform decryption; it is
the most sensitive part of security data and should never be disclosed to other
entities.
Certificate File – contains a digital signature that binds together Public Key with
an identity information; Certificate may be issued by a CA (e.g. Veritas) or be self-
signed (issued by the entity itself).
CA Certificate File – certificate of the CA that issued Certificate for the Mediant
8000 Media Gateway; optional file that if present is used to validate the Certificate
file.
Version 6.6
33. Configuring Security Settings
325
October 2014
Advertisement
Table of Contents
Troubleshooting
