Specifications
hg-09.fm
A31003-H3580-M103-2-76A9, 01-2009
HiPath 3000/5000 V8 - HG 1500 V8, Administrator Documentation
9-29
Nur für den internen Gebrauch
Technical Concepts
SSL and VPN
SSL uses certificates and keys to guarantee secure data transmission. VPN on the other
hand only uses certificates and keys when there are no pre-shared keys in use. For VPN con-
nections, tunnels are used between the communication partners who conduct calls or ex-
change data over an IP connection. Connections of this kind are configured using various ser-
vices and rules.
9.6.1 Encryption and Keys
Keys can have the following functions:
● Ensure that data is not changed or manipulated in the course of transmission,
● Make data indecipherable on the outside.
A basic distinction is made between symmetric and asymmetric encryption. Symmetric encryp-
tion requires only one key which is used both for encryption and decryption. Both the sender
and recipient of a data transmission encrypted in this way require this key. Asymmetric encryp-
tion uses public keys and private keys. The recipient uses the public key for encryption and
the private key for decryption. In this way, the sender and recipient only have to exchange public
keys. They both use their private keys for decryption.
An advantage of asymmetric encryption is that the sender and recipient do not have to share
secrets (the single key). Instead, they must trust each other with the public key. Certificates
regulate the trustworthiness of public keys.
In practice, symmetric and asymmetric encryption are frequently used together as asymmetric
encryption requires enormous computing power. In mixed mode, a time-restricted key (also
known as a session key) encrypts and decrypts the data using symmetric encryption. Only the
session key is exchanged using asymmetric encryption.
Additional security is provided by digital signatures. These are required because data encryp-
tion only ensures that tapping attempts yield nothing but meaningless data trash. Signatures
are used to ensure that the data was actually dispatched by the sender specified. The signature
is a comparatively short but unique character string. It fulfills the function of a personal signa-
ture.
A signature is created in two stages. In the first stage, a type of checksum is created using the
data you want to transfer. Special algorithms known as hash algorithms generate these
checksums. These algorithms let you generate a fixed-length byte string from a random-length
byte string. The hash algorithms generates a completely new checksum if so much as one bit
>
You must obtain and install the correct licenses to implement VPN functions on the
HG 1500 board (see Section 7.1.3, "License Management").
You do not need licenses to use SSL.