ericssonhistory.com

More documents

Recommendations

Info

Figure 7An X.500 database structure for a CA and the X.509 certificate structure.certificate can be trusted if the signature iscorrect and a trusted party has signed it. Ifthe signature on the certificate is not correct,or if a trusted party did not sign it, thena secure session will not be created. Ordinarily,a trusted party is a well-known certificateauthority (CA) that issues certificatesin a secure way. VeriSign is an exampleof a large certificate authority on the Internet.VeriSign's business concept is to providecertificate services to its customers. Serviceproviders pay a fee to receive a certificatethat they can use in their secure servers.Most Internet browsers currently includeVeriSign's public signature key in their software,and by default most browsers treatserver certificates signed by VeriSign astrusted certificates.Most certificates are only valid for a certainperiod of time. However, if a user loseshis private key, or if for some other reasonhis certificate is invalid, then the issuing certificateauthority must revoke the certificate.It does so by distributing signed listsof revoked certificates.The framework for issuing, revoking anddistributing certificates is called a publickey infrastructure. Certificates are oftenstored in and can be fetch from an X.500database. To make communication flexibleand secure, the protocols we have describedthus far need some kind of supporting PKI(Figure 7).BOX D, ERICSSON IPSECCOMPETENCE CENTERThe Ericsson IPsec competence center, in Jorvas,Finland, provides Ericsson product unitswith IPsec software, knowledge and training.The center, which is funded through EricssonResearch, has developed an implementationof IPsec that was originally developed for theACC platforms. The center has licensed an IKEimplementation and developed its own prototypeimplementation of IKE.also preferred for general secure networklayer connections, such as VPNs.PKIPublic key cryptography can be used to authenticateusers and machines. It can also beused for the secure exchange of session keys.In the security protocols we have described,authentication and key exchange are oftenclosely tied to one another, to ensure thatthe public keys for key exchange belong toa certain person or organization. One way ofmatching an identity to a public key valueis to include both parameters in a certificate.A certificate is an information sequence thatconsists of fields and a digital signature thatencompass these fields. Several different certificatestructures exist. The most commoncertificates in the Internet are based on theX.509 format. 6 The holder of a certificatecan present it to other users or network nodesfor identification or secure key exchange.When a certificate is received during sessionset-up, the receiving machine checksthe signature on it. The public key in theAAAAn administrative domain keeps customerinformation in authentication, authorizationand accounting (AAA) servers. Forroaming purposes, the AAA servers that belongto different administrative domainsneed to be able to communicate securelywith each other, either directly or, in the absenceof a direct roaming agreement, via abroker. This allows for the composition ofnetwork services that demand resourcesfrom more than one administrative domain.It also means that the corresponding AAAservers must authorize the allocation of resources.In some cases, however, authenticationand authorization are not necessary;for example, when credit cards or prepaidcards are accepted for a service (Figure 8).AAA servers represent an outgrowth ofservers that were developed for specific purposes;more particularly, when the service inuse is associated with a communicationlayer. In the GSM system, for example, customerinformation is kept in a home locationregister (HLR) and the system was de-102 Ericsson Review No. 2, 2000
signed for cellular telephony, even thoughtoday's mobile services can also be used forother purposes. On the Internet, remote authenticationdial-in user service (RADIUS)servers are commonly used for dial-up users.For electronic commerce (e-commerce), digitalcertificates are stored in databases. Ingeneral, each communication layer belongsto a different administrative domain. Consequently,a single user often has numerousidentities and must be authorized severaltimes before he or she can use a service.While it might be possible to hide this fromthe user, by employing some kind of logonscheme, each separate authentication mustbe performed. Standard AAA protocols androaming consortiums can do away with thisproblem. Organizations that manage allthree communication layers should be ableto bundle authentication services for theircustomers.Deploying IP securityAlthough they have not as yet been widelydeployed, mechanisms for secure IP networkshave been available for some time.IPsec was standardized in 1999, but preliminaryimplementations were availablesome years before. Similarly, TLS/SSL iswidely used on the World Wide Web.One reason for the delayed utilization ofsecurity solutions has been US export restrictions.Since a considerable share of Internetdevelopment takes place in the US,encryption has not been a top priority instandardization or in the marketing messagesof leading data communication companies.Today, however, the US is beginningto lift export regulations and the EuropeanUnion is increasing requirements for confidentialcommunications, thereby makingIP security products a necessary part of datacommunication portfolios. Thus, the commercialuse of cryptography products is increasingrapidly.Applications and productsEricsson implements IPsec in many productsincluding Tigris access servers 7 , Telebitrouters 8 , and general packet radio service(GPRS) nodes' to provide transparent andhigh-level security for many applications.Ericsson's wireless LAN (WLAN) solutionuses IPsec to encrypt airborne traffic.TLS has been used in many Web-basedapplications. In particular, a wireless applicationprotocol (WAP) variant, WTLS, willplay an important role in the future.Security in GPRS productsEricsson's serving GPRS support node(SGSN) and gateway GPRS support node(GGSN) contain full support for the IPsecFigure 8AAA servers and their relationships whenproviding IP access and services tomobile users.Ericsson Review No. 2, 2000 103
Page 1: Ericsson 2/2000REVIEWTHE TELECOMMUN
Page 4 and 5: ContributorsIn this issueLuis Barri
Page 6 and 7: Ericsson Review is also published o
Page 8 and 9: Evolving from cdmaOne to third-gene
Page 10 and 11: Figure 2Operators Harmonization Agr
Page 12 and 13: more features, and greater reliabil
Page 14 and 15: Figure 7Ericsson's third-generation
Page 16 and 17: Figure 11Ericsson's timeline for ev
Page 18 and 19: Third-generation TDMAChristofer Lin
Page 20 and 21: TABLE 1 MODULATION AND CODING SCHEM
Page 22 and 23: Figure 3An example of a cell patter
Page 24 and 25: Figure 5Curves illustrating maximum
Page 26 and 27: TABLE 3. DYNAMIC PACKET DATA SIMULA
Page 28 and 29: erage can be achieved in existing c
Page 30 and 31: Business solutions for mobile e-com
Page 32 and 33: Figure 2Comparison of traditional a
Page 34 and 35: BOX B, THE E-COMMERCE TIMELINE1999E
Page 36 and 37: Figure 6Mobile e-Pay end-user servi
Page 38 and 39: Figure 8Access features with push-a
Page 40 and 41: AuthenticationTo verify that end-us
Page 42 and 43: BOX C, MARKET HARMONIZATIONOn Tuesd
Page 44 and 45: Figure 2The footprint of the RBS 22
Page 46 and 47: Communications security in an all-I
Page 48 and 49: BOX B, SYMMETRIC KEY SYSTEMSGood sy
Page 50 and 51: Figure 4Construction of an ESP-prot
Page 54 and 55: Figure 9GPRS VPN scenarios.Figure 1
Page 56 and 57: TRADEMARKSRC4 and RC4 are registere
Page 58 and 59: HIPERLAN type 2 for broadband wirel
Page 60 and 61: Figure 3Typical usage of communicat
Page 62 and 63: Figure 6Mapping of higher layer pac
Page 64 and 65: TABLE 1PHYSICAL LAYER MODES OF HIPE
Page 66 and 67: Queen City WaterfrontEMERGING PROJE
Page 68 and 69: TABLE 2. IMPORTANT PARAMETERS FOR N
Page 70: Previous issuesNo. 1,2000IPv6—The

ericssonhistory.com

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?