Home Page

VPN & Cryptography

Firewalls

Email & Spam

Security Terminology

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Certificate Authority - IPsec VPN Tutorial Guide

 

 

When your opening a bank account, you have to take a form of ID from a reliable source such as a passport or driving licence; well a certificate authority (CA) provides this form of identity. We use digital signatures to form digital credentials that we use over the internet to authenticate the identity of a person sending data in an IPsec arrangement, and these digital certificates are provided by CA's such as Verisign and Thawte.

Verisign would send a certificate to each person or entity and digitally sign them with its (Verisign’s) private key that certifies the authenticity of the user or device. Certificates are then loaded and verified by end user’s.

For example, Joe wants to communicate with Carl and so Joe sends his certificate to Carl and Carl checks out the certificate's CA signature with Verisign. He will look at the CA public key with Verisign to ensure the CA signature is on the certificate. If the certificate is valid then Carl can assume Joe is who he says he is, and the message is valid. Then Joe checks Carl’s certificate and if the certificate is fine and valid, the VPN process can be progressed.

All certificates are exchanged during the IPsec negotiation process. CA’s are the masterminds behind the public key infrastructure (PKI). The CA’s digital certificate is created with the CA’s private key; it’s the one that guarantees the authenticity.

Some examples of public CA's are Verisign, RSA, Entrust, Thawte, and Baltimore.

Digital signatures vs digital certificates

Looking further into digital certificates and digital signatures, the following provides the differences and the relationship between the two:

Digital signature – Links a message or data to a sender’s private key. On the receiving end, the encrypted hash can only be decrypted by using the sender’s public key. It is used to prove authenticity and to validate identity.

Digital certificate – Binds or links a person or a corporate entity to a private key. To be clear, this is not binding of the data or the message itself. This is an X.509 certificate which proves the entity is who it claims to be.

The relationship between a digital signature and a digital certificate is a certificate could be used to link or bind a person or entity to a digital signature. A certificate is like a person's driving licence, where a signature is like a person's credit card.

Further Reading

Wikipedia's guide to Certification Authority