This article explains Device Authentication and outlines its importance.
Device authentication is the process of verifying the identity and security posture of a device before allowing it to access network resources. Device authentication is implemented using digital certificates in Cato. It is part of the zero-trust security framework to ensure that only trusted devices are allowed to access the network and to specific network resources.
The core principle of zero trust security is that no device or user should be automatically trusted. Zero trust assumes that every access request, whether from inside or outside the network, is potentially coming from a malicious actor or compromised device.
Device authentication ensures that only authorized devices are allowed access to network resources. By verifying the identity and security posture of each device before granting access, zero-trust limits the risk of a potential breach caused by a compromised or unauthorized device.
Cato Device Authentication is based on asymmetric key encryption. Asymmetric key encryption, also known as public key cryptography, is a cryptographic technique that uses a pair of mathematically related keys to secure information. The two keys are called the public key and the private key. Cato doesn’t generate the certificates or manage its lifecycle.
Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The public key can be shared openly, while the private key is kept secret.
This method of encryption is secure because even though the public key can be openly shared, it cannot be used to decrypt messages that were encrypted with it. Only the corresponding private key can decrypt the message.
Upload the root certificate to the Cato Management Application. The certificate also contains the public key. The public key can be shared openly.
Upload the device certificate and private key to the device. The device should keep the private key secret. The device should also be running the Cato SDP client. When a Cato SDP Client connects to the Cato PoP (Point of Presence), Cato determines if device authentication is enabled.
If device authentication is enabled, the Cato asks the Client to authenticate with a certificate. Cato then verifies the certificate's authenticity and checks that the certificate has not expired.
To verify the authenticity of the device Cato sends an encrypted challenge. The encrypted challenge is a random message that is generated by Cato and encrypted with the public key obtained from the root certificate uploaded to Cato in Step 1.
The device uses its private key to decrypt the encrypted challenge and sends the decrypted challenge to Cato.
If the decrypted challenge matches the original, the device is authenticated and granted access to the defined resources.