General Questions
ZyXEL PKI Implementation
General Questions
Encryption and decryption are two major operations involved in cryptography. Whenever we would like to send some secret over an insecure media, such as Internet, we may encrypt the secret before sending it out. The receiver thus needs the corresponding decryption key to recover the encrypted secrete. We need to have keys for both encryption and decryption. The key used to encrypt data is called the encryption key, and the key for decryption is called the decryption key.
Cryptography can be categorized into two types, symmetric and asymmetric cryptography. For symmetric cryptography, the encryption key is the same with the decryption. Otherwise, we the cryptography as asymmetric.
Symmetric cryptography, such as DES, 3DES, AES, are normally used for data transmission, since it requires less computation power than asymmetric cryptography. The task of privately choosing a key before communicating, however, can be problematic. Applications in real case may use asymmetric cryptography for to protect distribution of keys (symmetric), and uses symmetric cryptography for data transmission.
Asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which can be used to encrypt a message. If one key is used to encrypt a message, then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key).
PKI is acronym of Public Key Infrastructure. A PKI is a comprehensive system of policies, processes, and technologies working together to enable users of the Internet to exchange information securely and confidentially. Public Key Infrastructures are based on the use of cryptography – the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party using a related key.
A PKI uses pairs of cryptographic keys provided by a trusted third party known as a Certification Authority (CA). Central to the workings of a PKI, a CA issues digital certificates that positively identify the holder's identity. A Certification Authority maintains accessible directories of valid certificates, and a list of certificates it has revoked.3. What are the security services PKI provides?
PKI brings to the electronic world the security and confidentiality features provided by the physical documents, hand-written signatures, sealed envelopes and established trust relationships of traditional, paper-based transactions. These features are:
Confidentiality: Ensures than only intended recipients can read files.
Data Integrity: Ensures that files cannot be changed without detection.
Authentication: Ensures that participants in an electronic transaction are who they claim to be.
Non-repudiation: Prevents participants from denying involvement in an electronic transaction.
4. What are the main elements of a PKI?
A PKI includes:
A Certification Authority
Digital certificates
Mathematically related key pairs, each comprising a private key and a public key
These elements work within a formal structure defined by:
Certificate Policies
A Certification Practice Statement.
5. What is a Certification Authority?
A Certification Authority is a trusted third party that verifies the identity of an applicant registering for a digital certificate. Once a Certification Authority is satisfied as to the authenticity of an applicant's identity, it issues that person a digital certificate binding his or her identity to a public key. (Digital certificates are also issued to organizations and devices, but we will focus on people for the purposes of this discussion.)
6. What is a digital certificate?
An electronic credential that vouches for the holder's identity, a digital certificate has characteristics similar to those of a passport – it has identifying information, is forgery-proof, and is issued by a trusted third party. Digital certificates are published in on-line directories. Typically, a digital certificate contains:
The user's distinguished name (a unique identifier)
The issuing Certification Authority's distinguished name
The user's public key
The validity period
The certificate's serial number
7. What are public and private keys, and what is their relationship?
A PKI uses asymmetric cryptography to encrypt and decrypt information. In asymmetric cryptography, encryption is done by a freely available public key, and decryption is done by a closely guarded private key. Although the public and private keys in a particular key pair are mathematically related, it is impossible to determine one key from the other. Each key in an asymmetric key pair performs a function that only the other can undo.
8. What are Certificate Policies (CPs)?
Certification Authorities issue digital certificates that are appropriate to specific purposes or applications. For example, in the Government of Canada Public Key Infrastructure, digital certificates for data confidentiality are different from those used for digital signatures. Certificate Policies describe the rules governing the different uses of these certificates.
9. How does a PKI ensure data confidentiality?
Users' public keys are published in an accessible directory. A person wishing to send an encrypted message uses the recipient's public key to scramble the information in the message. Only the recipient's private key can decrypt the message.
So, if Bob wants to send a confidential message to Alice, his PKI software finds Alice's public key in the directory where it is published, and he uses it to encrypt his message. When Alice receives the encrypted message, she uses her private key to decrypt it. Because Alice keeps her private key secret, Bob can be assured that, even if his message were to be intercepted, only Alice can read it.
10. What is a digital signature?
Not to be confused with a digitized signature (a scan of a hand-written signature), a digital signature can be used with either encrypted or unencrypted messages to confirm the sender's identity and ensure the recipient that the message content has not been changed in transmission. Digital signatures incorporate the characteristics of hand-written signatures in that they can only be generated by the signer, are verifiable, and cannot easily be imitated or repudiated.
11. How does a digital signature work?
Suppose that the famous Bob and Alice wish to correspond electronically. Bob wants to assure Alice that he originated the electronic message, and that its contents have not been tampered with. He does so by signing the message with a digital signature.
When Bob clicks on the digital signature option on his e-mail application, special software applies a mathematical formula known as a hash function to the message, converting it to a fixed-length string of characters called a message digest. The digest acts as a "digital fingerprint" of the original message. If the original message is changed in any way, it will not produce the same message digest when the hash function is applied. Bob's software then encrypts the message digest with his private key, producing a digital signature of the message. He transmits the message and digital signature to Alice.
Alice uses Bob's public key to decrypt the digital signature, revealing the message digest. Since only Bob's public key can decrypt the digital signature, she is able to verify that Bob was the sender of the message. This verification process also tells Alice's software which hash function was used to create the message digest of Bob's original message. To verify the message content, Alice's software applies the hash function to the message she received from Bob. The message digests should be identical. If they are, Alice knows the message has not been changed and she is assured of its integrity. (If Bob had wanted to ensure the confidentiality of his message, he could have encrypted it with Alice's public key before applying the hash function to the message.)
The best thing about all these encryption, decryption, verifying and authenticating processes is that special software does them all transparently, so that Bob and Alice receive the assurances they need without having actually to engage in computations themselves.
ZyXEL PKI Implementation
1.
Does ZyXEL provide CA service?
No, ZyXEL doesn't maintain CA service for customers, customers need to find CA server
(trusted 3rd party) in order to use PKI functionality on
ZyWALL.
2.
What if customers don't have access to CA service, but would like to use PKI function?
ZyXEL VPN solution provides a mechanism called "self-signed" Certificate. If you don't have access CA service, but would like to use PKI function, please use the self-signed Certificate.
Check here for how to configure it.
3. How can I have Self-signed certificate for ZyXEL appliance?
Each ZyXEL appliance would provide a Self-signed certificate along with default configuration file. You can check content of Self-signed certificate in WEB GUI.
4. Can I create self-signed certificates in addition to the default one?
Yes, you can create self-signed certificates of your own by selecting self-signed category when creating My Certificates.
5. Will Self-signed certificate be erased if I reset to default configuration file?
Yes, the original Self-signed certificate will be erased. But ZyXEL appliance will create a new self-signed certificate at it's first boot-up time after resetting the configuration. But the new self-signed certificate is different from the original one. So users also need to export the new self-signed certificate to appliance's peer if they would like to use PKI for VPN.
6. Will certificates stored in ZyXEL appliance be erased if I reset to default configuration file?
Yes, My Certificates, Trusted CAs' Certificates, and Trusted Remote's Certificates will be totally erased after erasing configuration files. Users need to enroll My Certificates and import Trusted CA's certificates & Trusted Remote's certificates again.
7. What can I do prior to reset appliance's configuration?
You can export Trusted CA's certificates and Trusted Remote's certificates before resetting configuration to the local computer. Then import them back to ZyXEL appliance.
8. If I export My Certificates from ZyXEL appliance, save them locally, and then import them back after resetting the configuration file, can I reuse the imported My Certificates ?
No, you can't reuse them. Each certificate stored in My Certificates has corresponding private key. When you erase the configuration, the corresponding private keys are also deleted. So you can't reuse the certificates by importing them afterward.