Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
51525354555657585960
Using Single or Paired Keys
Encryption usually uses one of the following approaches:
n
Single key (symmetric) algorithms rely on a single key that both encrypts and decrypts the
information. A single key must always be kept secret.
n
Paired keys (asymmetric) are slower but use one key to encrypt and the other to decrypt. Either key
can encrypt, then the other decrypts.
One key is considered to be the public key, which you can distribute freely, and the other is the private
key that you keep secret. For convenience, users refer to this configuration as "public key"
cryptography. One common practice is to use a public key to securely negotiate a session key, a
symmetric key that is valid only for the duration of a single connection to the server.
Certificates
In public key authentication, you must know that the key you hold is not a fake and that it came from the
entity that you think it did. Certificates are a mechanism for performing this verification.
A certificate is a package containing the public key, information identifying the owner or source of the
key, and one or more signatures that verify that the whole package is authentic. To sign a certificate, the
issuer adds the information about itself to the certificate, hashes the result, and then encrypts the hash
using its private key to create a signature.
When you have a public key, you can verify that it came from the issuer identified in a certificate because
the information in the public key is able to decrypt the signature, obtain the hash, and recalculate a
matching hash value.
It is assumed that you trust certificate issuers, directly or by virtue of trust chains. See "Trust Chains" on
page 58.
Public Key Infrastructure
Public key infrastructure (PKI) describes a management system that aids in the administration and
distribution of public keys and certificates throughout an enterprise. TLS is supported in a security
environment where certificates are managed by a PKI that guarantees the identity of servers and clients.
However, certificates can also be created, managed, and used by TLS without the support of a full PKI.
Having multiple Collectors is the main reason for creating certificates in this way. See "Certificates for
Additional Collectors" on page 64.
Trust Chains
NOTE Signing and issuing are synonymous.
An issuer's certificate can be signed by a previous issuer. This practice is called a trust chain. The chain
flows backward until you arrive at a certificate that was issued and signed by itself, or you arrive at a
certificate called a trust root. All certificates that are members of the chain can be trusted when the chain
begins with such a trusted certificate. Typically, this trust relationship works because you or someone else
has already installed the trust root in your local trusted certificate store.
VCM Security Guide
58
VMware, Inc.