PKI as a Trusted Third-Party Protocol

PKI does not eliminate the need for authenticity when exchanging public keys in an asymmetric encryption environment, but PKI solves the scalability issues associated with that process. It uses the concept of a single, trusted introducer. Instead of securely exchanging all public keys among all devices, only the public key of the trusted introducer has to be securely distributed to all devices, as shown in Figure 25-2. This is usually done by downloading the public key and then verifying it out of band. The trusted introducer performs the role of authentication for the devices: If the devices are authenticated by the trusted introducer, they are considered authenticated to each other. If they are not authenticated by the trusted introducer, they are not authenticated to each other. Essentially, the devices have an explicit (configured) trust to believe anything the trusted introducer tells them.

Figure 25-2. Using the Public Key of the Trusted Introducer

When all devices know the authentic key of the introducer, the introducer can guarantee the authenticity of the public keys of all devices by using a certificate for each device in the topology. The certificate includes information about the identity of a device and its public key. The (publicly trusted) introducer then signs the certificates of the individual devices, and the devices can directly distribute their public keys by sending their certificates. A device receiving such a certificate can verify it by checking the signature of the issuer (the introducer).

Every user in the system trusts information provided by the introducer. In practice, this is accomplished by digital signatures. Anything that the introducer signs is considered to be trusted. To verify the signatures of the trusted introducer, each user of this system must first obtain the public key of the trusted introducer. To become a part of the trust system, all end users enroll with the introducer; that is, they submit their identity and their public key to the introducer, as shown in Figure 25-3.

Figure 25-3. Exchanging Public Keys

The trusted introducer then verifies the identity and public key of each enrolling user and, if they are correct, the trusted introducer digitally signs the submitted public key with the private key of the introducer. The result is a kind of "document" (certificate) for each user that includes the identity (name) of the user and the public key of the user. The trusted introducer provides each user with a signed document, containing the name and public key of the user, bound together by the signature of the trusted introducer. As shown in Figure 25-4, each user now possesses a public and private key pair, the public key of the trusted introducer, and a document with the identity and public key of the user. This document is signed by the trusted introducer.

Figure 25-4. Generation of a PKI Certificate

Because all users now have their own documents containing the correct name and public key, signed by the trusted introducer, and the public key of the trusted introducer, they can verify all data signed by the trusted introducer. The entities can now (independently of the trusted introducer) establish point-to-point trusted relationships by exchanging information about themselves in the form of that document.

In practice, this means that at this stage the end users can mutually exchange signed public keys over an insecure medium and use the digital signature of the trusted introducer as the protection mechanism for the exchange. Again, the signature of the trusted introducer is trusted because it can be verified (the entities have the public key of the trusted introducer), and the trusted introducer and its operations are considered to be secure.

Part I: Cisco CallManager Fundamentals

Introduction to Cisco Unified Communications and Cisco Unified CallManager

Cisco Unified CallManager Clustering and Deployment Options

Cisco Unified CallManager Installation and Upgrades

Part II: IPT Devices and Users

Cisco IP Phones and Other User Devices

Configuring Cisco Unified CallManager to Support IP Phones

Cisco IP Telephony Users

Cisco Bulk Administration Tool

Part III: IPT Network Integration and Route Plan

Cisco Catalyst Switches

Configuring Cisco Gateways and Trunks

Cisco Unified CallManager Route Plan Basics

Cisco Unified CallManager Advanced Route Plans

Configuring Hunt Groups and Call Coverage

Implementing Telephony Call Restrictions and Control

Implementing Multiple-Site Deployments

Part IV: VoIP Features

Media Resources

Configuring User Features, Part 1

Configuring User Features, Part 2

Configuring Cisco Unified CallManager Attendant Console

Configuring Cisco IP Manager Assistant

Part V: IPT Security

Securing the Windows Operating System

Securing Cisco Unified CallManager Administration

Preventing Toll Fraud

Hardening the IP Phone

Understanding Cryptographic Fundamentals

Understanding the Public Key Infrastructure

Understanding Cisco IP Telephony Authentication and Encryption Fundamentals

Configuring Cisco IP Telephony Authentication and Encryption

Part VI: IP Video

Introducing IP Video Telephony

Configuring Cisco VT Advantage

Part VII: IPT Management

Introducing Database Tools and Cisco Unified CallManager Serviceability

Monitoring Performance

Configuring Alarms and Traces

Configuring CAR

Using Additional Management and Monitoring Tools

Part VIII: Appendix

Appendix A. Answers to Review Questions


Authorized Self-Study Guide Cisco IP Telephony (CIPT)
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
ISBN: 158705261X
EAN: 2147483647
Year: 2004
Pages: 329 © 2008-2020.
If you may any questions please contact us: