Overview of PKI

Definition

The Public Key Infrastructure (PKI) is a framework that consists of a collection of protocols and cryptographic algorithm suites that authenticates the device that attempts to establish IPsec tunnels between each other.

PKI uses a sum total of the hardware, software, people, processes and policies along with the asymmetric cryptography technology to facilitate the creation of a digital identity, authentication and secure communication between two communicating end parties.

Purpose

With the development of e-commerce, online banking, and online securities transaction, Internet security becomes increasingly important. Certain people may intercept the plain-text data in applications and launch man-in-the-middle attacks.

For example, as shown in Figure 1, peer A attempts to establish an IPsec VPN to peer B, but the attacker intercepts the information sent by peer A to peer B, and acts as peer B to establish the connection with peer A. To ensure security, peer A and peer B must authenticate the identities of each other before establishing a connection.
Figure 1 Man-in-the-Middle Attack

In an IPsec VPN, peers are authenticated using pre-shared keys or certificates. A pre-shared key is the key configured on both devices. When one end checks that its key is the same as the key of the other end, they can set up a connection. This authentication mode is easy to configure. On the network deployed with a large number of devices, the pre-shared key needs to be re-configured on all devices when a new device is added to the network. As a result, the configuration workload increases exponentially and is easy to make errors.

To implement authentication on a wide range of devices and reduce middleman attacks, certificates can be used for user authentication in large VPNs. Peers first apply for certificates from the Certificate Authority (CA). Before establishing a VPN, peers attempt to authenticate each other's certificates. The connection between the peers can be established only if both certificates have been authenticated. This effectively prevents middleman attacks.

Benefits

PKI offers the following benefits:
  • PKI is a secure channel for communication.
  • PKI offers a variety of services like authentication, integrity protection, confidentiality and access control.
  • PKI offers a scalable method to secure networks and simplify the deployment of network infrastructures by enabling security features, including IPsec, Secure Shell (SSH), Secure Socket Layer (SSL) and so on.
  • PKI offers a large scale security compared to the traditional form of authentication like: username and password.
Parent Topic: PKI Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >