Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 6 of 42
During the registration process, an end entity makes itself known to a certification authority through a registration
authority before that certification authority issues a certificate. The end entity provides its name and other attributes
to be included in its public key certificate(s) and the certification authority (or the registration authority, or both)
verifies the correctness of the provided information.
The key pair generation for an end entity may either take place in its own environment or is done by the certification
authority (or registration authority). If the key pair is not generated by the end entity itself, then the generated private
key must be distributed to the end entity in a secure way (for example, through a secure key distribution protocol,
or by using a physical token such as a smart card).
The certification process takes place at the certification authority. After verifying the correctness of the end entity’s
name and attributes (and that the end entity possess the corresponding private key), the certification authority issues
a certificate for the end entity’s public key. That certificate is then returned to the end entity or posted in a repository
where it is publicly available, or both.
Section 4.1.1 provides an example of PKI usage, and Section 4.1.2 discusses elements of trust in PKI.
4.1.1 The Amazon.com Example
Before sending a credit card number to buy a book at Amazon.com, a customer must verify that the Web site he or
she entered isindeed Amazon.com. Also, a secured tunnel between the customer andAmazon must beestablished to
send the credit card number safely. SSL provides this capability. In this case, the customer (using SSL) authenticates
Amazon; but note that Amazon does not authenticate the customer. This is called server-side authentication (only the
server is authenticated). With EAP-TLS, the RADIUS server authenticates the user, and the user authenticates the
RADIUS server. This is called mutual authentication. EAP-TLS authentication will be examined in detail later.
There are two means to verify that Amazon is Amazon. If Amazon and the customer share a secret (a shared secret
known only to the customer and to Amazon), the customer is then able to challenge Amazon and to verify that
Amazon is holding the shared secret. The problem with this model is that it is impossible for everyone in the world
to have a shared secret with everyone else. PKI was invented for this reason. PKI eliminates the need for a shared
secret between you and Amazon. Digital certificates are used instead.
4.1.2 Elements of Trust in PKI
PKI authentication requires two elements of trust:
• Private-public key pair
• Certification authority
4.1.2.1 First Element of Trust: Private-Public Key Pair
Every certificate is associated with two keys: a private key and a public key. Only the owner of the certificate knows
the private key, whereas the public key (hence its name) is known to everyone. With this key pair, asymmetric
encryption is used. A message that was encrypted with the private key can be decrypted only with its corresponding
public key and vice versa. Continuing with the example, Amazon encrypts the messages with its private key, and the
customer decrypts them using Amazon’s public key. In this way, the customer can be sure that any information he or
she decrypted with the public key was encrypted using the corresponding private key. In the same way, if one wants
to send an encrypted message to Amazon, the message is encrypted using Amazon’s public key. Only the holder of