Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Introduction to PKI authentication

PKI authentication is the methodology used to verify the identity of a user by checking the validity of a certificate that is bound to a specific user identity.

PKI authentication is an alternative to traditional password based authentication. The traditional method is based on "what you know" - a password used for authentication. PKI authentication is based on "what you have" - a private key related to the certificate bound to the user.

A common weakness of traditional password based authentication is the vulnerability to password guessing or brute force attack. PKI authentication is more resilient to this type of attack, hence PKI provides a stronger authentication mechanism.

In cryptography, PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). PKI authentication relies on two factors:

  • Chain of trust. If the Root CA is trusted, then all certificates issued by the Root CA are trusted, as are all certificates issued by any intermediate CA that is trusted by the Root CA.
  • Public key encryption algorithm. The data encrypted by public key can only be decrypted by private key. This is the basis for asymmetric data encryption. Similarly, the data encrypted by private key can be decrypted by the public key. This is usually used for digital signature. The private key is only available to a specific individual, while its related public key is embedded in the certificate signed by a CA.

PKI authentication can be implemented on FortiMail for administrators and email users. The FortiMail operation mode determines what these users can access using PKI authentication. The following table describes the impact of operation mode on each FortiMail user type.

Access types and FortiMail operation mode

Access type

FortiMail operation mode

Description

Administrative

Server

Gateway

Transparent

Administrators use PKI authentication to perform FortiMail management and administration functions, regardless of the FortiMail operation mode.

Email users

Server

Email users use PKI authentication to access regular email and quarantined email that is hosted on a FortiMail unit when operating in server mode.

Quarantined (spam) email only

Gateway

Transparent

Email users use PKI authentication to access quarantined email (spam) contained in a bulk folder that is hosted on a FortiMail unit when operating in gateway or transparent mode.

Introduction to PKI authentication

PKI authentication is the methodology used to verify the identity of a user by checking the validity of a certificate that is bound to a specific user identity.

PKI authentication is an alternative to traditional password based authentication. The traditional method is based on "what you know" - a password used for authentication. PKI authentication is based on "what you have" - a private key related to the certificate bound to the user.

A common weakness of traditional password based authentication is the vulnerability to password guessing or brute force attack. PKI authentication is more resilient to this type of attack, hence PKI provides a stronger authentication mechanism.

In cryptography, PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). PKI authentication relies on two factors:

  • Chain of trust. If the Root CA is trusted, then all certificates issued by the Root CA are trusted, as are all certificates issued by any intermediate CA that is trusted by the Root CA.
  • Public key encryption algorithm. The data encrypted by public key can only be decrypted by private key. This is the basis for asymmetric data encryption. Similarly, the data encrypted by private key can be decrypted by the public key. This is usually used for digital signature. The private key is only available to a specific individual, while its related public key is embedded in the certificate signed by a CA.

PKI authentication can be implemented on FortiMail for administrators and email users. The FortiMail operation mode determines what these users can access using PKI authentication. The following table describes the impact of operation mode on each FortiMail user type.

Access types and FortiMail operation mode

Access type

FortiMail operation mode

Description

Administrative

Server

Gateway

Transparent

Administrators use PKI authentication to perform FortiMail management and administration functions, regardless of the FortiMail operation mode.

Email users

Server

Email users use PKI authentication to access regular email and quarantined email that is hosted on a FortiMail unit when operating in server mode.

Quarantined (spam) email only

Gateway

Transparent

Email users use PKI authentication to access quarantined email (spam) contained in a bulk folder that is hosted on a FortiMail unit when operating in gateway or transparent mode.