Solved: Re: Difference between PKI and RSA-signatures

abhijith891 · ‎08-20-2018

Hi all, I believe the 3 authentication methods in a Site-Site VPN are PSK, PKI and RSA-sig. But I am not very clear about how different PKI and RSA Sig mechanisms are from each other. So can someone please explain the difference between same?

Regards,

Abhijit

Graham Bartlett · ‎08-20-2018

Hi
RSA-Sig is basically using RSA Nonces(which are only used in IKEv1, not IKEv2), take a look here;

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=5

In summary you have the peers public key, but this is just the key and not sent in a certificate (like in PKI). So you need to manually configure all peers public keys that you want to talk to. PKI overcomes this limitations by using a CA.

cheers

View solution in original post

Rob Ingram · ‎08-20-2018

Hi,

A Site-to-Site VPN can use either PSK or certificates to authenticate. A certificate is either rsa-sig or ecsda-sig (Suite-B NGE) they are issued by a PKI (aka Certificate Authority). You need a PKI (Public Key Infrastruture) in order to distribute the certificates to use for certificate authentication.

HTH

Graham Bartlett · ‎08-20-2018

Hi
RSA-Sig is basically using RSA Nonces(which are only used in IKEv1, not IKEv2), take a look here;

http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=5

In summary you have the peers public key, but this is just the key and not sent in a certificate (like in PKI). So you need to manually configure all peers public keys that you want to talk to. PKI overcomes this limitations by using a CA.

cheers

abhijith891 · ‎08-21-2018

Thanks a lot Graham. Things are pretty clear now. Cheers.