User Manual
Table Of Contents
- PremierWave EN User Guide
- 1: Using This Guide
- 2: Introduction
- 3: Using DeviceInstaller
- 4: Network Settings
- 5: Line and Tunnel Settings
- 6: Configurable Pin Manager
- 7: Services Settings
- 8: Security Settings
- 9: Maintenance and Diagnostics Settings
- 10: Advanced Settings
- 11: Tunneling
- 12: Security in Detail
- 13: Updating Firmware
- A: Technical Support
- B: Binary to Hexadecimal Conversions
- C: Compliance
- D: Warranty
- E: USB-CDC-ACM Device Driver File for Windows Hosts
- Index
PremierWave EN User Guide 55
12: Security in Detail
Secure Sockets Layer (SSL)
SSL uses digital certificates for authentication and cryptography against eavesdropping and
tampering. Sometimes only the server is authenticated, sometimes both server and client.
The PremierWave EN can be server and/or client, depending on the application. Public key
encryption systems exchange information and keys and set up the encrypted tunnel.
Efficient symmetric encryption methods encrypt the data going through the tunnel after it is
established. Hashing provides tamper detection.
SSH and some wireless authentication methods on the PremierWave EN make use of SSL.
The PremierWave EN supports SSLv2, SSlv3, and TLS1.0.
Certificates
The goal of a certificate is to authenticate its sender. It is analogous to a paper document that
contains personal identification information and is signed by an authority, for example a
notary or government agency.
Security Certificate Principles
To sign other certificates, the authority uses a private key. The published authority certificate
contains the matching public key that allows another to verify the signature but not recreate it.
The authority’s certificate can be signed by itself, resulting in a self-signed or trusted-root
certificate, or by another (higher) authority, resulting in an intermediate authority certificate.
You can build up a chain of intermediate authority certificates, and the last certification will
always be a trusted-root certificate.
An authority that signs other’s certificates is also called a Certificate Authority (CA). The last
in line is then the root-CA. VeriSign is a famous example of such a root-CA. Its certificate is
often built into web browsers to allow verifying the identity of website servers, which need to
have certificates signed by VeriSign or another public CA.
Since obtaining a certificate signed by a CA that is managed by another company can be
expensive, it is possible to become one’s own CA. Tools exist to generate self-signed CA
certificates or to sign other certificates.
A certificate before it is signed is known as a certificate request, which only contains the
identifying information. Signing it makes it a certificate. One’s certificate is also used to sign
any message transmitted to the peer to identify the originator and prevent tampering while
transported.
In short:
When using EAP-TLS, the PremierWave EN needs a personal certificate with matching
private key to identify itself and sign its messages.
When using EAP-TLS, EAP-TTLS or PEAP, the PremierWave EN needs the authority
certificate(s) that can authenticate those it wishes to communicate with.