10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
06-Public Key Configuration
Title Size Download
06-Public Key Configuration 123.62 KB

Asymmetric key algorithm overview

Basic concepts

·     Algorithm: A set of transformation rules for encryption and decryption.

·     Plain text: Information without being encrypted.

·     Cipher text: Encrypted information.

·     Key: A string of characters that controls the transformation between plain text and cipher text. It is used in both the encryption and decryption.

Key algorithm types

As shown in Figure 1, the information in plain text is encrypted by an algorithm with the help of a key before being sent. The resulting cipher text is transmitted across the network to the receiver, where it is decrypted by the same algorithm also with the help of a key to obtain the original plain text.

Figure 1 Encryption and decryption

 

The following types of key algorithms are available, based on whether the keys for encryption and decryption are the same:

·     Symmetric key algorithm—The keys for encryption and decryption are the same. Commonly used symmetric key algorithms include Advanced Encryption Standard (AES) and Data Encryption Standard (DES).

·     Asymmetric key algorithm—The keys for encryption and decryption are different, one is the public key, and the other is the private key. The information encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the public key may be distributed widely. The private key cannot be practically derived from the public key.

Asymmetric key algorithm applications

Asymmetric key algorithms can be used for encryption and digital signature.

·     EncryptionThe sender uses the public key of the intended receiver to encrypt the information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt the information. This mechanism guarantees confidentiality.

·     Digital signatureThe sender “signs” the information to be sent by encrypting the information with its own private key. A receiver decrypts the information with the sender's public key and, based on whether the information can be decrypted, determines the authenticity of the information.

The Revest-Shamir-Adleman Algorithm (RSA), the Digital Signature Algorithm (DSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA) are asymmetric key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA and ECDSA are used for signature only.

 

 

NOTE:

·     Symmetric key algorithms are often used to encrypt/decrypt data for security. Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time-consuming. In digital signature applications, only the digests, which are relatively short, are encrypted.

·     The device does not support ECDSA.

 

Configuring the local asymmetric key pair

You can create and destroy a local asymmetric key pair, and export the host public key of a local asymmetric key pair.

Creating an asymmetric key pair

To create an asymmetric key pair:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Create a local DSA key pair, or RSA key pairs.

public-key local create { dsa | rsa }

By default, no key pair is created.

 

The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair comprises a public key and a private key. The public-key local create dsa command generates only one key pair, the host key pair.

After you enter the command, you are aksed to specify the modulus length. The length of an RAS or DSA key modulus is in the range of 512 to 2048 bits. To achieve higher security, specify a modulus at least 768 bits.

 

 

NOTE:

Key pairs created with the public-key local create command are saved automatically and can survive system reboots.

 

Displaying or exporting the local RSA or DSA host public key

Display the local RSA or DSA host public key on the screen or export it to a specific file. Then, you can configure the local RSA or DSA host public key on the remote end so that the remote end can use the host public key to authenticate the local end through digital signature.

To display or export the local RSA or DSA host public key:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Display the local RSA or DSA host public key on the screen in a specific format, or export it to a specific file.

·     Display or export the local RSA host public key:
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]

·     Display or export the local DSA host public key:
public-key local export dsa
{ openssh | ssh2 } [ filename ]

Select a command according to the type of the key to be exported.

 

Destroying an asymmetric key pair

You may need to destroy an asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, or the asymmetric key has been used for a long time.

To destroy an asymmetric key pair:

 

Step

Command

1.     Enter system view.

system-view

2.     Destroy an asymmetric key pair.

public-key local destroy { dsa | rsa }

 

Configuring a peer public key

To enable your local device to authenticate a peer device, configure the peer RSA or DSA public key on the local device. The following methods are available:

·     Import it from a public key file—Obtain a copy of the peer public key file through FTP or TFTP (in binary mode) first, and then import the public key from the file. During the import process, the system automatically converts the public key to a string in PKCS (Public Key Cryptography Standards) format. H3C recommends that you follow this method to configure the peer public key.

·     Configure it manuallyIf the peer device is an H3C device, you can use the display public-key local public command to view and record its public key. On the local device, input or copy the key data in public key code view. A public key displayed by other methods may not in the PKCS format, and the system cannot save the format-incompliant key.

 

 

NOTE:

The router supports up to 20 peer pubic keys.

 

To import a peer host public key from the public key file to the local device:

 

Step

Command

1.     Enter system view.

system-view

2.     Import the peer host public key from the public key file.

public-key peer keyname import sshkey filename

 

To configure a peer public key manually:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify a name for a peer public key and enter public key view.

public-key peer keyname

N/A

3.     Enter public key code view.

public-key-code begin

N/A

4.     Configure the peer server or host public key.

Type or copy the key

Spaces and carriage returns are allowed between characters.

5.     Return to public key view.

public-key-code end

When you exit public key code view, the system automatically saves the public key.

6.     Return to system view.

peer-public-key end

N/A

 

 

NOTE:

Do not configure a peer RSA server public key for identity authentication in SSH applications. Authentication in SSH applications uses the RSA host public key. For more information about SSH, see the chapter “Configuring SSH.

 

Displaying and maintaining public keys

 

Task

Command

Remarks

Display the local public keys.

display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the peer public keys.

display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ]

Available in any view

 

Public key configuration examples

Configuring a peer public key manually

Network requirements

As shown in Figure 2, to prevent illegal access, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.

·     Configure Device B to use the asymmetric key algorithm of RSA for identity authentication of Device A.

·     Manually configure the host public key of Device A on Device B.

Figure 2 Network diagram

 

Configuration procedure

1.     Configure Device A.

# Create RSA key pairs on Device A.

<DeviceA> system-view

[DeviceA] public-key local create rsa

Warning: The local key pair already exist.

Confirm to replace them? [Y/N]:y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++

++++++++++++++++++++++++++++

# Display the public keys of the created RSA key pairs.

[DeviceA] display public-key local rsa public

 

=====================================================

Time of Key pair created: 09:50:06  2007/08/07

Key name: HOST_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

 

=====================================================

Time of Key pair created: 09:50:07  2007/08/07

Key name: SERVER_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001

2.     Configure Device B.

# Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.

<DeviceB> system-view

[DeviceB] public-key peer devicea

Public key view: return to System View with "peer-public-key end".

[DeviceB-pkey-public-key] public-key-code begin

Public key code view: return to last view with "public-key-code end".

[DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

[DeviceB-pkey-key-code] public-key-code end

[DeviceB-pkey-public-key] peer-public-key end

# Display the host public key of Device A saved on Device B.

[DeviceB] display public-key peer name devicea

 

=====================================

  Key Name  : devicea

  Key Type  : RSA

  Key Module: 1024

=====================================

Key Code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

Importing a peer public key from a public key file

Network requirements

As shown in Figure 3, to prevent illegal access, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.

·     Configure Device B to use the asymmetric key algorithm of RSA for identity authentication of Device A.

·     Import the host public key of Device A from the public key file to Device B.

Figure 3 Network diagram

 

Configuration procedure

1.     Create key pairs on Device A and export the host public key.

# Create RSA key pairs on Device A.

<DeviceA> system-view

[DeviceA] public-key local create rsa

Warning: The local key pair already exist.

Confirm to replace them? [Y/N]:y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

+++++

++++++

+++++++++++

+++

# Display the public keys of the created RSA key pairs.

[DeviceA] display public-key local rsa public

 

=====================================================

Time of Key pair created: 09:50:06  2007/08/07

Key name: HOST_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

 

=====================================================

Time of Key pair created: 09:50:07  2007/08/07

Key name: SERVER_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001

# Export the RSA host public key to a file named devicea.pub.

Warning: The filename has already existed.

Do you want to replace the file? [Y/N]:y

.....

[DeviceA] quit

2.     Enable the FTP server function on Device B.

# Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3.

<DeviceB> system-view

[DeviceB] ftp server enable

[DeviceB] local-user ftp

[DeviceB-luser-ftp] password simple 123

[DeviceB-luser-ftp] service-type ftp

[DeviceB-luser-ftp] authorization-attribute level 3

[DeviceB-luser-ftp] quit

3.     Upload the public key file of Device A to Device B.

# FTP the public key file devicea.pub to Device B with the file transfer mode of binary.

<DeviceA> ftp 10.1.1.2

Trying 10.1.1.2 ...

Press CTRL+K to abort

Connected to 10.1.1.2.

220 FTP service ready.

User(10.1.1.2:(none)):ftp

331 Password required for ftp.

Password:

230 User logged in.

[ftp] binary

200 Type set to I.

[ftp] put devicea.pub

227 Entering Passive Mode (10,1,1,2,5,148).

125 BINARY mode data connection already open, transfer starting for /devicea.pub.

226 Transfer complete.

FTP: 299 byte(s) sent in 0.189 second(s), 1.00Kbyte(s)/sec.

4.     Import the host public key of Device A to Device B.

# Import the host public key of Device A from the key file devicea.pub to Device B.

[DeviceB] public-key peer devicea import sshkey devicea.pub

Warning: You have already peer public key named devicea.

Do you really want to replace it? [Y/N]:y

# Display the host public key of Device A saved on Device B.

[DeviceB] display public-key peer name devicea

 

=====================================

  Key Name  : devicea

  Key Type  : RSA

  Key Module: 1024

=====================================

Key Code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001