Home > Articles > Cisco Network Technology > General Networking > IPSec Overview Part Four: Internet Key Exchange (IKE)

IPSec Overview Part Four: Internet Key Exchange (IKE)

Contents

  1. IKE Overview
  2. Pre-Shared Keys
  3. RSA Signatures
  4. RSA Encryption
  5. Certificate Authorities and Digital Certificates
  6. How IPSec Works

Article Description

In part 4 of his five-part series on the Cisco implementation of IPSec, Andrew Mason describes the Internet Key Exchange (IKE).

Certificate Authorities and Digital Certificates

The distribution of keys in a public key scheme requires some trust. If the infrastructure is untrusted and control is questionable (such as on the Internet), distribution of keys is troublesome. RSA signatures are used by certificate authorities (CAs), which are trusted third-party organizations. VeriSign, Entrust, and Netscape are examples of companies that are providing digital certificates. A client registers with a certificate authority; after the CA verifies the client's credentials, a certificate is issued.

The digital certificate is a package containing information such as a certificate bearer's identity: his or her name or IP address, the certificate's serial number, the certificate's expiration date, and a copy of the certificate bearer's public key. The standard digital certificate format is defined in the X.509 specification. X.509 version 3 defines the data structure for certificates, and is the standard that Cisco is supporting. Figure 2 identifies some key points of CA operation.

Figure 2 CAs and digital certificates.

6. How IPSec Works | Next Section Previous Section