A Public Key Infrastructure (PKI) entails a system of cryptographic endpoints that use an infrastructure of trusted resources, such as Certificate Authorities (CAs) and Registration Authorities (RAs), to facilitate a cryptographic transaction in a trusted manner. In large enterprise-class IPSec VPN designs, the burden of key management can be overwhelming. When the number of cryptographic endpoints scales upwards, so does the need to for a centralized, scalable method of key management between the cryptographic endpoints, or in this case, between the IPSec VPN gateways. A PKI can be used in varying types of cryptographic solutions. However, in the context of IPSec VPN deployments, the PKI entails the following elements:
Using the elements listed in the bulleted list above, PKIs present a comprehensive and scalable design option for secure key management in large-scale IPSec VPN deployments. Cisco IPSec VPN technologies support PKIs using the RSA Signatures method of IKE authentication, which describes an asymmetric authentication and encryption scheme used in the negotiation and operation of Phase 1 SAs. In this chapter, we will discuss a brief history and overview of PKI, then proceed to discuss the advantages to deploying IPSec VPNs using the RSA Signature method of IKE authentication in a PKI architecture. |