ScreenOS Firewalls (NOT SRX)
Reply
Visitor
sdqs_23
Posts: 4
Registered: ‎06-04-2008
0
Accepted Solution

Question about Digital Certificate for VPN

Hello guys,

 

I am confuse in uderstanding Digital certificate concept. My question is that  one peer obtain its local certificate from CA and send it to other peer (to which it wants to establish tunnel) for authentication then how other peer verify it?

 

As i undertood yet is peer send certification request using its public key then CA issue certificate (first hash it with public key of peer and then encrypt it with its private key). When this peer after obtaining certificate send it to other peer for authentication then how other peer produce hash of certificate bcs he does not know the private key of first peer?

 

Please help me.

Contributor
sushilmenon
Posts: 44
Registered: ‎11-16-2007
0

Re: Question about Digital Certificate for VPN

hi mate with certificates both the peers have a root certificate of the ca and plus each peer has it;s own identity signed by the same ca. so peer1 certificate will have his public key in it and it is signed by the ca server.

 

the process of signing is that the ca server hashes the entire certificate including the public key of the peer1and then encryptes the hash using the ca;s private key. this encrypted hash is attached to thepeer1;s certificate.

 

when peer1 receives his identity certificate it decryptes the hash using the ca;s public;s key from the ca;s root certificate.it proves that the hash was encrypted using the ca;s private key. 

 

then peer1 runs a hash on the certificate to check whether it was tampered or not. 

 

similar procedure is done by both the peers. 

 

now peer1 sends his identity certificate to peer2. now peer2 tries to decrypt the encrypted hash on the certificate using the public of the ca;s root certificate. to check whether the certificate is signed by the same ca whom he trust. once he;s done that then he runs a hash on the certificate to check whether it was tampered or not. 

 

ohh in the ike phase1 a nounce is encrypted by peer1;s private key and send along with the certificate.peer1 after doing the above process tries to decrypt the nounce using the publickey of peer1 which he received from peer1. so it proves that public he received from peer1;s certificate actually belongs to peer1 only. 

 

hope this solves ur query.

 

regards

 

Sushil

Visitor
sdqs_23
Posts: 4
Registered: ‎06-04-2008
0

Re: Question about Digital Certificate for VPN

Hello

 

You are simply brilliant :smileyhappy: My one more question is that When peer 1 send its certificate to peer 2 then i guess its on unsecure channel i mean not encrypted so when some one get this certificate then it will know the public key of peer 1 and it can send wrong messages to peer 1 using its public key. Am i got right and is there some remeedy of it?

 

Thanks 

Contributor
sushilmenon
Posts: 44
Registered: ‎11-16-2007
0

Re: Question about Digital Certificate for VPN

hi mateif u see when we use digital certificates in ipsec we are using main mode in ike phase-1 . which uses 6 iaskmp messages for building the secure communication.during message 3 and 4 both the parties run deffie-hellmand at their ends and generate the shared secret. from the shared secret material both the peers generate skeid-a, skeid-e and skeid-d. the sheid-a is used by ur  hash algorithm specified in the ike phase1 proposal and skeid-e is used by ur encryption algorithm specified in the ike phase-1 proposal.

 

now once the peers have generated these keys everything that will exchanged further will be encrypted using the algorithm specified in the ike phase1 with skeid-e as the key and it will be hashed with the hash algorithm specified in the ike phase1 using sked-a as the key for it.

 

now both the peers when exchanging the certificates with each other in message 5 and 6 will encrypte the entire certificate with skeid-e and hash it using skeid-a and send the hash and the encrypted certificate to peer2.

 

now peer2 will first run a hash on the encrypted certificate using his skeid-a which naturally will be same since diffie-hellman has generated it. once it verifies the hash he created and the hash he received it will now decrypt the certificate using   skeid-e . once the certificate is decrypted then u know how the certificate is verified as mentioned in the above post. 

 

so u see the peer1 certificate is not send in clear text it is send securely. 

 

if u have any more doubts do let me know. 

 

i hope this really helps and solves ur query.

 

regards

 

Sushil

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.