Phase I Using Certificates

When using certificates, the first packet exchange has the same purpose, to negotiate the Phase 1 SAs. In the second exchange, Diffie-Hellman creates a secure channel. In the third exchange each sender sends their respective certificates. This message is signed with the sender’s private key and verified with the sender’s public key. The sender’s certificate is verified using the CA’s public key.

在IKE的main mode的第一个和第二个阶段用pre-share key 和数字证书没有什么不同。到了第三个阶段也就是双方实体的认证方式就不一样了。Phase I Using Certificates 是发送者发送他们各自的证书。而证书的由来是用CA的私钥加密的。还记得以前说的吗?每个实体是有CA的证书,也就是CA的公钥,CA用公钥将发送者发过来的证书用公钥解密。用于验证数字证书的合法性。???????????This message is signed with the sender’s private key and verified with the sender’s public key.

 

PKI 基础理论-4_第1张图片