14-Security Configuration Guide

HomeSupportResource CenterH3C FAT AP Configuration Guide(R5436)-6W10114-Security Configuration Guide
04-Public key management
Title Size Download
04-Public key management 84.76 KB

Managing public keys

About public key management

This chapter describes public key management for the following asymmetric key algorithms:

·     Revest-Shamir-Adleman Algorithm (RSA).

·     Digital Signature Algorithm (DSA).

·     Elliptic Curve Digital Signature Algorithm (ECDSA).

Asymmetric key algorithm overview

Asymmetric key algorithms are used by security applications to secure communications between two parties, as shown in Figure 1. Asymmetric key algorithms use two separate keys (one public and one private) for encryption and decryption. Symmetric key algorithms use only one key.

Figure 1 Encryption and decryption

 

A key owner can distribute the public key in plain text on the network but must keep the private key in privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the algorithm and the public key.

Usage of asymmetric key algorithms

Security applications (such as SSH, SSL, and PKI) use the asymmetric key algorithms for the following purposes:

·     Encryption and decryption—Any public key receiver can use the public key to encrypt information, but only the private key owner can decrypt the information.

·     Digital signature—The key owner uses the private key to digitally sign information to be sent. The receiver decrypts the information with the sender's public key to verify information authenticity.

RSA, DSA, and ECDSA can all perform digital signature, but only RSA can perform encryption and decryption.

Public key management tasks at a glance

To manage public keys, perform the following tasks:

1.     Creating a local key pair

2.     Distributing a local host public key

Choose one of the following tasks:

¡     Exporting a host public key

¡     Displaying a host public key

To enable the peer device to authenticate the local device, you must distribute the local device's public key to the peer device.

3.     Configuring a peer host public key

Choose one of the following tasks:

¡     Importing a peer host public key from a public key file

¡     Entering a peer host public key

To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device.

4.     (Optional.) Destroying a local key pair

Creating a local key pair

Restrictions and guidelines

When you create a local key pair, follow these guidelines:

·     The key algorithm must be the same as required by the security application.

·     When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time.

When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length. The longer the key length, the higher the security, and the longer the key generation time.

See Table 1 for more information about key modulus lengths and key lengths.

·     If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The key pair name must be unique among all manually named key pairs that use the same key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.

·     The key pairs are automatically saved and can survive system reboots.

Table 1 A comparison of different types of asymmetric key algorithms

Type

Generated key pairs

Modulus/key length

RSA

·     One host key pair, if you specify a key pair name.

·     One server key pair and one host key pair, if you do not specify a key pair name.
Both key pairs use their default names.

NOTE:

Only SSH 1.5 uses the RSA server key pair.

Key modulus length: 512 to 2048 bits.

Default: 1024 bits.

To ensure security, use a minimum of 768 bits.

DSA

One host key pair.

Key modulus length: 512 to 2048 bits.

Default: 1024 bits.

To ensure security, use a minimum of 768 bits.

ECDSA

One host key pair.

Key length: 192, 256, 384, or 521 bits.

Procedure

1.     Enter system view.

system-view

2.     Create a local key pair.

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]

Distributing a local host public key

About distribution of local host public keys

You must distribute a local host public key to a peer device so the peer device can perform the following operations:

·     Use the public key to encrypt information sent to the local device.

·     Authenticate the digital signature signed by the local device.

To distribute a local host public key, you must first export or display the key.

·     Export a host public key:

¡     Export a host public key to a file.

¡     Export a host public key to the monitor screen, and then save it to a file.

After the key is exported to a file, transfer the file to the peer device. On the peer device, import the key from the file.

·     Display a host public key.

After the key is displayed, record the key, for example, copy it to an unformatted file. On the peer device, you must literally enter the key.

Exporting a host public key

Restrictions and guidelines

When you export a host public key, follow these restrictions and guidelines:

·     If you specify a file name in the command, the command exports the key to the specified file.

·     If you do not specify a file name, the command exports the key to the monitor screen. You must manually save the exported key to a file.

Procedure

1.     Enter system view.

system-view

2.     Export a local host public key.

¡     Export an RSA host public key:

public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]

¡     Export an ECDSA host public key.

public-key local export ecdsa [ name key-name ] { openssh | ssh2 } [ filename ]

¡     Export a DSA host public key.

public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ]

Displaying a host public key

Perform the following tasks in any view:

·     Display local RSA public keys.

display public-key local rsa public [ name key-name ]

Do not distribute the RSA server public key serverkey (default) to a peer device.

·     Display local ECDSA public keys.

display public-key local ecdsa public [ name key-name ]

·     Display local DSA public keys.

display public-key local dsa public [ name key-name ]

Configuring a peer host public key

About peer host public key configuration

To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device.

You can configure the peer host public key by using the following methods:

·     Import the peer host public key from a public key file (recommended).

·     Manually enter (type or copy) the peer host public key.

For information about how to obtain the host public key of a device, see "Distributing a local host public key."

Restrictions and guidelines for peer host public key configuration

When you configure a peer host public key, follow these restrictions and guidelines:

·     When you manually enter the peer host public key, make sure the entered key is in the correct format. To obtain the peer host public key in the correct format, use the display public-key local public command to display the public key on the peer device and record the key. The format of the public key displayed in any other way might be incorrect. If the key is not in the correct format, the system discards the key and displays an error message.

·     Always import rather than enter the peer host public key if you are not sure whether the device supports the format of the recorded peer host public key.

Importing a peer host public key from a public key file

About this task

Before you perform this task, make sure you have exported the host public key to a file on the peer device and obtained the file from the peer device. For information about exporting a host public key, see "Exporting a host public key."

After you import the key, the system automatically converts the imported public key to a string in the Public Key Cryptography Standards (PKCS) format.

Procedure

1.     Enter system view.

system-view

2.     Import a peer host public key from a public key file.

public-key peer keyname import sshkey filename

By default, no peer host public keys exist.

Entering a peer host public key

About this task

Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key."

Procedure

1.     Enter system view.

system-view

2.     Specify a name for the peer host public key and enter public key view.

public-key peer keyname

3.     Type or copy the key.

You can use spaces and carriage returns, but the system does not save them.

4.     Exit public key view.

peer-public-key end

When you exit public key view, the system automatically saves the peer host public key.

Destroying a local key pair

About this task

To ensure security, destroy the local key pair and generate a new key pair in any of the following situations:

·     The local key has leaked. An intrusion event might occur.

·     The storage media of the device is replaced.

·     The local certificate has expired. For more information about local certificates, see "Configuring PKI."

Procedure

1.     Enter system view.

system-view

2.     Destroy a local key pair.

public-key local destroy{ dsa | ecdsa | rsa } [ name key-name ]

Display and maintenance commands for public keys

Execute display commands in any view.

 

Task

Command

Display local public keys.

display public-key local { dsa | ecdsa | rsa } public [ name key-name ]

Display peer host public keys.

display public-key peer [ brief | name publickey-name ]