Home Page

Firewalls

Email & Spam

Security Terminology

Security Topics

VPN & Cryptography

Wireless

 

 

 

VPN Terminology

VPN Tutorial Guide

3DES

AES

Aggressive Mode

Authentication Header

Asymmetric Encryption

Authentication

Certification Authority

Data Integrity

DES

Diffie-Hellman

Digital Certificate

Dynamic IP addresses

Encryption

ESP

IKE Oakley & ISAKMP

IPSec

IPSec Quick Mode

L2TP

Main Mode

MD5

NAT-T

PFS

PKI

Policy-vs-Route-VPN

PPTP

Pre-Shared Key

Remote Access User

RSA

Security Association

Sha-1

Site to Site VPN

SSL VPN

Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel

 

Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?

 

What is Guide

What is a Firewall?

What is a Virus?

What is Spam?

 

Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security

 

Other

Top 8 Internet Security tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?

 

 

Digital Certificates - VPN Tutorial

 

 

Public Key Authentication

Like Pre-shared keys, using digital certificates is another way to prove you are authenticated. It proves you are who you say you are, or your VPN Firewall is who it says it is. A digital certificate is an electronic document and is obtained by a reputable Certification Authority (CA) who manages such certificates. Verisign is an example of a Certification Authority. If two peers accept each other’s digital certificates, they trust each others identity, though they trust that the opposite peer is who they say they are.

When a CA issues a certificate to a VPN device then it is guaranteeing the VPN device is who it claims to be and it does this by signing the certificate it assigns and provides to the VPN device.

A real life comparison would be like humans having identity cards such as a driving licence, a passport, etc. A digital certificate plays the same role for authenticating devices proving they are who they say they are by exposing their certificates (Their version of a passport/driving licence) to peer devices.

Remember that the certificates presented and it’s certificate authority who issued the certificate must be trusted. If a remote party does not trust your certificate authority or does not know your CA, then your identity may not be trusted. Certificates issued by a known provider such as Verisign is going to be trusted by everyone, but certificates issued by small CA’s could easily not be trusted.

In a real world scenario, if you were shown ID from a human being using their DVLA driving license you would feel confident they are who they say they are, having an ID issued by DVLA. However on the other hand if they were to show you their employee ID from company Joe Bloggs, or some other random ID you would most likely feel a little suspicious.

How this works is, you are issued a certificate from a CA. When you pass your certificate to a peer, they check your certificate against the CA certificate which is cryptographically tied with your certificate, and if they match, then the remote peer would trust your identity. You would also take the same steps in checking your remote peer’s identity.

Further Reading

Wikipedia's guide to Public Key Certificates