 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The following are key steps for using public key cryptography to authenticate a peer. These steps are described in more detail in the following sections.
Before the router can place a digital signature on messages, it requires a private key to sign, and requires a public key so that message receivers can verify the signature.
The router requires at least one root CA certificate to send to IKE peers and also to verify that a peer's certificate is genuine.
The router requires at least one public key certificate, which binds the router identity to its public key. The CA verifies the identity represented on the certificate and then signs the certificate. The router sends the certificate to IKE peers during negotiations to advertise the router public key.
As part of IKE negotiations, the router receives its peer's digital signature in a message exchange. The router must verify the digital signature by using the peer's public key. The public key is contained in the peer's certificate, which often is received during the IKE negotiation. To ensure that the peer certificate is valid, the router verifies its digital signature by using the CA public key contained in the root CA certificate. The router and its IKE peer require at least one common trusted root CA for authentication to work.
Generally, only Step 4 is required each time a phase 1 negotiation happens. The first three steps are required only if keys are compromised or router certificates require renewal.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |