Security Configuration Guide

HomeSupportWirelessH3C WA2200 Series WLAN Access PointsConfigure & DeployConfiguration GuidesH3C WA Series WLAN Access Points Configuration Guide-6W100Security Configuration Guide
07-Public Key Configuration
Title Size Download
07-Public Key Configuration 60 KB

*

l          The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.

l          Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.

l          The interface types and the number of interfaces vary by AP model.

l          The term AP in this document refers to common APs, wireless bridges, and mesh APs.

 

This chapter includes these sections:

l          Asymmetric Key Algorithm Overview

l          Configuring the Local Asymmetric Key Pair

l          Configuring the Public Key of a Peer

l          Displaying and Maintaining Public Keys

l          Public Key Configuration Examples

Asymmetric Key Algorithm Overview

Basic Concepts

l          Algorithm: A set of transformation rules for encryption and decryption.

l          Plain text: Information without being encrypted.

l          Cipher text: Encrypted information.

l          Key: A string of characters that controls the transformation between plain text and cipher text. It participates in both the encryption and decryption.

Key Algorithm Types

As shown in Figure 1-1, the information in plain text is encrypted by an algorithm with the help of a key before being sent. The resulting cipher text is transmitted across the network to the receiver, where it is decrypted by the same algorithm also with the help of a key to obtain the original plain text.

Figure 1-1 Encryption and decryption

 

There are two types of key algorithms, based on whether the keys for encryption and decryption are the same:

l          Symmetric key algorithm – The keys for encryption and decryption are the same. Commonly used symmetric key algorithms include Advanced Encryption Standard (AES) and Data Encryption Standard (DES).

l          Asymmetric key algorithm – The keys for encryption and decryption are different, one is the public key, and the other is the private key. The information encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The private key is kept secret while the public key may be distributed widely, and the private key cannot be practically derived from the public key.

Asymmetric Key Algorithm Applications

Asymmetric key algorithms can be used for encryption/decryption and digital signature:

l          Encryption/decryption – The sender uses the public key of the intended receiver to encrypt the information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt the information. This mechanism ensures the confidentiality.

l          Digital signature – The sender "signs" the information to be sent by encrypting the information with its own private key. A receiver decrypts the information with the sender's public key and, based on whether the information can be decrypted, determines the authenticity of the information.

Revest-Shamir-Adleman Algorithm (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) are both asymmetric key algorithms. RSA can be used for data encryption/decryption and signature, whereas ECDSA is used for signature only.

 

Symmetric key algorithms are often used to encrypt/decrypt data for security. Asymmetric key algorithms are usually used in digital signature applications for peer identity authentication because they involve complex calculations and are time-consuming. In digital signature applications, only the digests, which are relatively short, are encrypted.

 

Configuring the Local Asymmetric Key Pair

You can create and destroy a local asymmetric key pair, and export the host public key of a local asymmetric key pair.

Creating an Asymmetric Key Pair

Follow these steps to create an asymmetric key pair:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a local ECDSA key pair or RSA key pairs

public-key local create { ecdsa | rsa }

Required

By default, there is no such key pair.

 

l          The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair consists of a public key and a private key.

l          The length of an RSA key modulus is in the range 512 to 2048 bits. After entering the public-key local create rsa command, you are required to specify the modulus length. To achieve higher security, specify a modulus at least at least 768 bits.

l          The length of an ECDSA host key modulus cannot exceed 192 bits.

 

Key pairs created with the public-key local create command are saved automatically and can survive system reboots.

 

Displaying or Exporting the Local RSA Host Public Key

Display the local RSA host public key on the screen or export it to a specified file. Then, you can configure the local RSA host public key on the remote end so that the remote end can use the host public key to authenticate the local end through digital signature.

Follow these steps to display or export the local RSA host public key:

To do…

Use the command…

Remarks

Enter system view

system-view

Display the local RSA host public key on the screen in a specified format, or export it to a specified file

public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]

Required

 

Destroying an Asymmetric Key Pair

An asymmetric key pair may expire or leak. In this case, destroy it and generate a new pair.

Follow these steps to destroy an asymmetric key pair:

To do…

Use the command…

Remarks

Enter system view

system-view

Destroy an asymmetric key pair

public-key local destroy { ecdsa | rsa }

Required

 

Configuring the Public Key of a Peer

To enable your local host to authenticate a remote host, configure the RSA public key of that peer on the local host by following either of the methods:

l          Configure it manually: View the peer's host public key by the display command or other means on the remote host and record the public key. On the local host, input or copy the key data in public key code view.

l          Import it from the public key file: The system automatically converts the public key to a string coded using the PKCS (Public Key Cryptography Standards). Before importing the public key, you must upload the peer's public key file (in binary) to the local host through FTP or TFTP.

 

l          If you choose to input the public key, the public key must be in a correct format. The key data displayed by the display public-key local public command meets the format requirements. The public key displayed in other methods may not meet the format requirements. A format-incompliant key cannot be saved. Thus, you are recommended to configure the public key of the peer by importing it from a public key file.

l          The AP supports up to 20 host pubic keys of peers.

 

Follow these steps to configure the public key of a peer manually:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter public key view

public-key peer keyname

Enter public key code view

public-key-code begin

Configure a public key of the peer

Type or copy the key

Required

Spaces and carriage returns are allowed between characters.

Return to public key view

public-key-code end

When you exit public key code view, the system automatically saves the public key.

Return to system view

peer-public-key end

 

Follow these steps to import the host public key of a peer from the public key file:

To do…

Use the command…

Remarks

Enter system view

system-view

Import the host public key of a peer from the public key file

public-key peer keyname import sshkey filename

Required

 

Displaying and Maintaining Public Keys

To do…

Use the command…

Remarks

Display the public keys of the local key pairs

display public-key local { ecdsa | rsa } public

Available in any view

Display the public keys of the peers

display public-key peer [ brief | name publickey-name ]

 

Public Key Configuration Examples

For public key configuration examples, see the following configuration guides:

l          SSH2.0 in the Security Configuration Guide

l          HTTP in the Fundamentals Configuration Guide

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Intelligent Storage
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
  • Technical Blogs
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网