Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 4 of 42
4 Introduction to PKI and EAP-TLS
EAP-TLS (RFC 2716) is using the TLS protocol (RFC 2246), which is the Internet Engineering Task Force’s (IETF’s)
latest version of the Secure Socket Layer (SSL) protocol. TLS provides a way to use certificates for both user and
server authentication and for dynamic session key generation.
EAP-TLS uses concepts of PKI. The following section introduces PKI and the concepts of certificates, certificate
authorization, and validating user identity. A simple example of SSL usage that is familiar to most people will be
examined briefly.
4.1 Overview of PKI
A Public Key Infrastructure (PKI) is a management system designed to administer asymmetrical cryptographic keys
and public key certificates. It acts as a trusted component that guarantees the authenticity of the binding between a
public key and security information, including identity, involved in securing a transaction with public key
cryptography.
PKI protects information in several essential ways, described in Table 4-1.
Note:
EAP-TLS uses the first attribute on this list, identity authentication, as we will see in a later example.
A certificate is a cryptographically signed structure, called the digital certificate, that guarantees the association
between at least one identifier and a public key. It is valid for a limited period of time (called the validity period), for
a specific usage, and under certain conditions and limitations described in a certificate policy. The authority that
issues this certificate is called the certification authority.
Table 4-1 PKI Protections
Authenticates identity Digital certificates issued as part of your PKI allow individual users,
organizations, and Web site operators to confidently validate the identity of
each party in an Internet transaction
Verifies integrity A digital certificate ensures that the message or document the certificate
“signs” has not been changed or corrupted in transit online.
Ensures privacy Digital certificates protect information from interception during Internet
transmission
Authorizes access PKI digital certificates replace easily guessed and frequently lost user IDs and
passwords to streamline intranet log-in security and reduce the Message
Integration Service (MIS) overhead
Authorizes transactions With PKI solutions, your enterprises can control access privileges for
specified online transactions
Supports nonrepudiation Digital certificates validate their users' identities, making it nearly impossible
to later repudiate a digitally “signed” transaction, such as a purchase made
on a Web site