Public And Secret Key Cryptography; X509 Certificates; Nat Traversal - Siemens RX1500 User Manual

Ruggedcom rox ii series
Hide thumbs Also See for RX1500:
Table of Contents

Advertisement

Chapter 5
Setup and Configuration
Uses three DES encryptions on a single data block, with at least two different keys, to get higher security than
is available from a single DES pass. 3DES is the most CPU intensive cipher.
• AES
The Advanced Encryption Standard protocol cipher uses a 128-bit block and 128, 192 or 256-bit keys. This is
the most secure protocol in use today, and is much preferred to 3DES due to its efficiency.
Section 5.28.1.3

Public and Secret Key Cryptography

In public key cryptography, keys are created in matched pairs (called public and private keys). The public key is
made public while the private key is kept secret. Messages can then be sent by anyone who knows the public key
to the holder of the private key. Only the owner of the private key can decrypt the message.
When this form of encryption is used, each router configures its VPN connection to use the RSA algorithm and
includes the public signature of its peer.
In secret key cryptography, a single key known to both parties is used for both encryption and decryption.
When this form of encryption is used, each router configures its VPN connection to use a secret pre-shared key.
For information about how to configure pre-shared keys, refer to
Section 5.28.1.4

X509 Certificates

In addition to pre-shared keys, IPsec also uses certificates to authenticate connections with hosts and routers.
Certificates are digital signatures that are produced by a trusted source, namely a Certificate Authority (CA).
For each host, the CA creates a certificate that contains CA and host information. The certificate is "signed" by
creating a digest of all the fields in the certificate and then encrypting the hash value with its private key. The
host's certificate and the CA public key are installed on all gateways that the host connects to.
When the gateway receives a connection request, it uses the CA public key to decrypt the signature back into
the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both
digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the
certificate is assumed to be the valid public key of the connecting host.
Section 5.28.1.5

NAT Traversal

Historically, IPsec has presented problems when connections must traverse a firewall providing Network
Address Translation (NAT). The Internet Key Exchange (IKE) used in IPsec is not NAT-translatable. When IPsec
connections must traverse a firewall, IKE messages and IPsec-protected packets must be encapsulated as User
Datagram Protocol (UDP) messages. The encapsulation allows the original untranslated packet to be examined
by IPsec.
Encapsulation is enabled during the IPsec configuration process. For more information, refer to
"Configuring IPsec
614
Tunnels".
Section 5.28.5, "Managing Pre-Shared
Public and Secret Key Cryptography
RUGGEDCOM ROX II
User Guide
Keys".
Section 5.28.2,

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Rx1501Rx1510Rx1511Rx1512

Table of Contents