What can digital certificates authenticate that IPSec cannot?
- Thread starter RedString
- Start date
A digital certificate is a secure proof of identity. If you (or your computer) holds a digital certificate, then if contacted by another computer, it is possible for the remote computer to verify that it is talking to the computer it should be talking to.
Think of how https websites work. You access https://www.paypal.com. The first thing your comp does is take a look at the certificate on the server, and verify that the certificate says "This certificate belongs to www.paypal.com. Identity verified by Verisign, Inc. Signed. Verisign, inc.". This way, your comp knows that a hacker hasn't intercepted the communication and redirected you to a fake server. A fake server wouldn't have the certificate, and the signature on the certificate is virtually unforgeable, and without a recognisable signature, a certificate will be rejected by browsers, etc.
Certificates can be used in 2 ways:
1. Installed on a server, so that a user can be sure that they are connecting to the correct server, and not a cunningly installed fake.
2. Held by the user on their computer (or on a smart card), so that a remote server can verify that the user is who they say they are. The certificate performs the same role as a username/password, but is designed to be more secure.
IPsec has a number of techniques available to verify authenticity and identity. One of the techniques available is the use of certificates.
Certificate security for IPsec is often used on corporate VPNs, because they offer better security than usernames/passwords.
Think of how https websites work. You access https://www.paypal.com. The first thing your comp does is take a look at the certificate on the server, and verify that the certificate says "This certificate belongs to www.paypal.com. Identity verified by Verisign, Inc. Signed. Verisign, inc.". This way, your comp knows that a hacker hasn't intercepted the communication and redirected you to a fake server. A fake server wouldn't have the certificate, and the signature on the certificate is virtually unforgeable, and without a recognisable signature, a certificate will be rejected by browsers, etc.
Certificates can be used in 2 ways:
1. Installed on a server, so that a user can be sure that they are connecting to the correct server, and not a cunningly installed fake.
2. Held by the user on their computer (or on a smart card), so that a remote server can verify that the user is who they say they are. The certificate performs the same role as a username/password, but is designed to be more secure.
IPsec has a number of techniques available to verify authenticity and identity. One of the techniques available is the use of certificates.
Certificate security for IPsec is often used on corporate VPNs, because they offer better security than usernames/passwords.
Last edited:
Mark is dead on. It's to verify IDENTITY as well as encrypt.
Large Scale VPNs could be a correct answer depending on context. Most large scale VPNs these days are build around SSL which requires certs. One cert on the VPN end point/head end says "I am who I say I am".
Large Scale VPNs could be a correct answer depending on context. Most large scale VPNs these days are build around SSL which requires certs. One cert on the VPN end point/head end says "I am who I say I am".
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter