•
RFC 2409—The Internet Key Exchange (IKE) (November 1998)
•
RFC 2459—Internet X.509 Public Key Infrastructure Certificate and CRL Profile (January
1999)
•
RFC 2986—PKCS #10: Certification Request Syntax Specification Version 1.7 (November
2000)
•
RFC 3280—Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile (April 2002)
•
RFC 3447—Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
Specifications Version 2.1 (February 2003)
For more information about IPSec and IKE, see “Configuring IPSec” on page 119.
IKE Authentication with Digital Certificates
As part of the IKE protocol, one security gateway needs to authenticate another security
gateway to make sure that IKE SAs are established with the intended party. The router
supports two authentication methods:
•
Digital certificates (using RSA algorithms)
For digital certificate authentication, an initiator signs message interchange data using
his private key, and a responder uses the initiator's public key to verify the signature.
Typically, the public key is exchanged via messages containing an X.509v3 certificate.
This certificate provides a level of assurance that a peer's identity—as represented in
the certificate—is associated with a particular public key. E Series Broadband Services
Routers provide both an offline (manual) and an online (automatic) process when
using digital certificates.
•
Preshared keys
With preshared key authentication, the same secret must be configured on both security
gateways before the gateways can authenticate each other.
The following sections provide information about digital certificates. For information
about using preshared keys, see “IKE Overview” on page 134.
You can also use public keys for RSA authentication without having to obtain a digital
certificate. For details, see “IKE Authentication Using Public Keys Without Digital
Certificates” on page 212
.
Signature Authentication
The following are key steps for using public key cryptography to authenticate a peer.
These steps are described in more detail in the following sections.
1.
Generating a private/public key pair
Before the router can place a digital signature on messages, it requires a private key
to sign, and requires a public key so that message receivers can verify the signature.
2.
Obtaining a root CA certificate
207
Copyright © 2010, Juniper Networks, Inc.
Chapter 8: Configuring Digital Certificates
Содержание JUNOSE 11.2.X IP SERVICES
Страница 6: ...Copyright 2010 Juniper Networks Inc vi...
Страница 8: ...Copyright 2010 Juniper Networks Inc viii JunosE 11 2 x IP Services Configuration Guide...
Страница 18: ...Copyright 2010 Juniper Networks Inc xviii JunosE 11 2 x IP Services Configuration Guide...
Страница 22: ...Copyright 2010 Juniper Networks Inc xxii JunosE 11 2 x IP Services Configuration Guide...
Страница 28: ...Copyright 2010 Juniper Networks Inc 2 JunosE 11 2 x IP Services Configuration Guide...
Страница 116: ...Copyright 2010 Juniper Networks Inc 90 JunosE 11 2 x IP Services Configuration Guide...
Страница 144: ...Copyright 2010 Juniper Networks Inc 118 JunosE 11 2 x IP Services Configuration Guide...
Страница 230: ...Copyright 2010 Juniper Networks Inc 204 JunosE 11 2 x IP Services Configuration Guide...
Страница 262: ...Copyright 2010 Juniper Networks Inc 236 JunosE 11 2 x IP Services Configuration Guide...
Страница 294: ...Copyright 2010 Juniper Networks Inc 268 JunosE 11 2 x IP Services Configuration Guide...
Страница 328: ...Copyright 2010 Juniper Networks Inc 302 JunosE 11 2 x IP Services Configuration Guide...
Страница 345: ...PART 2 Index Index on page 321 319 Copyright 2010 Juniper Networks Inc...
Страница 346: ...Copyright 2010 Juniper Networks Inc 320 JunosE 11 2 x IP Services Configuration Guide...
Страница 356: ...Copyright 2010 Juniper Networks Inc 330 JunosE 11 2 x IP Services Configuration Guide...