26-Public Key Configuration
Chapters Download (88.87 KB)
Asymmetric Key Algorithm Applications
Configuring the Local Asymmetric Key Pair
Creating an Asymmetric Key Pair
Displaying or Exporting the Local RSA or DSA Host Public Key
Destroying an Asymmetric Key Pair
Configuring the Public Key of a Peer
Displaying and Maintaining Public Keys
Public Key Configuration Examples
Configuring the Public Key of a Peer Manually
Importing the Public Key of a Peer from a Public Key File
When configuring public keys, go to these sections for information you are interested in:
l Public Key Algorithm Overview
l Configuring the Local Asymmetric Key Pair
l Configuring the Public Key of a Peer
l Displaying and Maintaining Public Keys
l Public Key Configuration Examples
l Algorithm: A set of transformation rules for encryption and decryption.
l Plain text: Information without being encrypted.
l Cipher text: Encrypted information.
l Key: A string of characters that controls the transformation between plain text and cipher text. It participates in both the encryption and decryption.
As shown in Figure 1-1, the information is encrypted before being sent for confidentiality. The cipher text is transmitted in the network, and then is decrypted by the receiver to obtain the original pain text.
Figure 1-1 Encryption and decryption
There are two types of key algorithms, based on whether the keys for encryption and decryption are the same:
l Symmetric key algorithm: The same key is used for both encryption and decryption. Commonly used symmetric key algorithms include AES and DES.
l Asymmetric key algorithm: Also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key. The private key is kept secret while the public key may be distributed widely. The private key cannot be practically derived from the public key. The information encrypted with the public key/private key can be decrypted only with the corresponding private key/public key.
Asymmetric key algorithms can be used for encryption and digital signature:
l Encryption: The information encrypted with a receiver's public key can be decrypted by the receiver possessing the corresponding private key. This is used to ensure confidentiality.
l Digital signature: The information encrypted with a sender's private key can be decrypted by anyone who has access to the sender's public key, thereby proving that the information is from the sender and has not been tampered with. For example, user 1 adds a signature to the data using the private key, and then sends the data to user 2. User 2 verifies the signature using the public key of user 1. If the signature is correct, the data is considered from user 1.
Revest-Shamir-Adleman Algorithm (RSA) and Digital Signature Algorithm (DSA) are all asymmetric key algorithms. RSA can be used for data encryption and signature, whereas DSA is used for signature only.
Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time-consuming; symmetric key algorithms are often used to encrypt data for security.
You can create and destroy a local asymmetric key pair, and export the host public key of a local asymmetric key pair.
Follow these steps to create an asymmetric key pair:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a local DSA key pair, or RSA key pairs |
public-key local create { dsa | rsa } |
Required By default, there is no such key pair. |
l Configuration of the public-key local create command can survive a reboot.
l The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key.
l The length of an RSA key modulus is in the range 512 to 2048 bits. After entering the public-key local create rsa command, you will be required to specify the modulus length. For security, a modulus of at least 768 bits is recommended.
l The public-key local create dsa command generates only one key pair, that is, the host key pair.
l The length of a DSA key modulus is in the range 512 to 2048 bits. After entering the public-key local create dsa command, you will be required to specify the modulus length. For security, a modulus of at least 768 bits is recommended.
You can display the local RSA or DSA host public key on the screen or export it to a specified file, so as to configure the local RSA or DSA host public key on the remote end.
Follow these steps to display or export the local RSA or DSA host public key:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Display the local RSA host public key on the screen in a specified format, or export it to a specified file |
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] |
Select a command according to the type of the key to be exported. |
|
Display the local DSA host public key on the screen in a specified format, or export it to a specified file |
public-key local export dsa { openssh | ssh2 } [ filename ] |
An asymmetric key pair may expire or leak. In this case, you need to destroy it and generate a new pair.
Follow these steps to destroy an asymmetric key pair:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Destroy an asymmetric key pair |
public-key local destroy { dsa | rsa } |
Required |
To authenticate the remote host, you need to configure the RSA or DSA public key of that peer on the local host.
To configure the public key of the peer, you can:
l Configure it manually: You can input on or copy the public key of the peer to the local host. The copied public key must have not been converted and be in the distinguished encoding rules (DER) encoding format.
l Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP.
l You are recommended to configure the public key of the peer by importing it from a public key file.
l The device supports up to 20 host pubic keys of peers.
Follow these steps to configure the public key of a peer manually:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter public key view |
public-key peer keyname |
— |
|
Enter public key code view |
public-key-code begin |
— |
|
Configure a public key of the peer |
Enter the key |
Required Spaces and carriage returns are allowed between characters. |
|
Return to public key view |
public-key-code end |
— When you exit public key code view, the system automatically saves the public key. |
|
Return to system view |
peer-public-key end |
— |
Follow these steps to import the host public key of a peer from the public key file:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Import the host public key of a peer from the public key file |
public-key peer keyname import sshkey filename |
Required |
|
To do… |
Use the command… |
Remarks |
|
Display the public keys of the local key pairs |
display public-key local { dsa | rsa } public |
Available in any view |
|
Display the public keys of the peers |
display public-key peer [ brief | name publickey-name ] |
Device A is authenticated by Device B when accessing Device B, so the public key of Device A should be configured on Device B in advance.
In this example:
l RSA is used.
l The host public key of Device A is configured manually on Device B.
Figure 1-2 Network diagram for manually configuring the public key of a peer
1) Configure Device A
# Create RSA key pairs on Device A.
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the created RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2007/08/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
=====================================================
Time of Key pair created: 09:50:07 2007/08/07
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001
2) Configure Device B
# Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.
<DeviceB> system-view
[DeviceB] public-key peer devicea
Public key view: return to System View with "peer-public-key end".
[DeviceB-pkey-public-key] public-key-code begin
Public key code view: return to last view with "public-key-code end".
[DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
Device A is authenticated when accessing Device B, so the public host public key of Device A should be configured on Device B in advance.
In this example:
l RSA is used.
l The host public key of Device A is imported from the public key file to Device B.
Figure 1-3 Network diagram for importing the public key of a peer from a public key file
1) Create key pairs on Device A and export the host public key
# Create RSA key pairs on Device A.
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the created RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2007/08/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
=====================================================
Time of Key pair created: 09:50:07 2007/08/07
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001
# Export the RSA host public key to a file named devicea.pub.
[DeviceA] public-key local export rsa ssh2 devicea.pub
[DeviceA] quit
2) Enable the FTP server function on Device B
# Enable the FTP server function, create an FTP user with the username ftp and password 123.
<DeviceB> system-view
[DeviceB] ftp server enable
[DeviceB] local-user ftp
[DeviceB-luser-ftp] password simple 123
[DeviceB-luser-ftp] service-type ftp
[DeviceB-luser-ftp] authorization-attribute level 3
[DeviceB-luser-ftp] quit
3) Upload the public key file of Device A to Device B
# FTP the public key file devicea.pub to Device B.
<DeviceA> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
[ftp] put devicea.pub
227 Entering Passive Mode (10,1,1,2,5,148).
125 ASCII mode data connection already open, transfer starting for /devicea.pub.
226 Transfer complete.
FTP: 299 byte(s) sent in 0.189 second(s), 1.00Kbyte(s)/sec.
4) Import the host public key of Device A to Device B
# Import the host public key of Device A from the key file devicea.pub to Device B.
[DeviceB] public-key peer devicea import sshkey devicea.pub
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
