Contents

Managing public keys· 1

Configuration task list 1

Creating a local asymmetric key pair 2

Distributing a local host public key· 2

Displaying a host public key· 3

Exporting a host public key· 3

Destroying a local asymmetric key pair 3

Configuring a peer host public key· 4

Importing a peer host public key from a public key file· 4

Entering a peer host public key· 4

Displaying public keys· 5

Public key configuration examples· 5

Manually specifying the peer host public key on the local device· 5

Importing a public key from a public key file· 7

 

Managing public keys 

To protect data confidentiality during transmission, the data sender uses an algorithm and a key to encrypt the plain text data before sending the data out. The receiver uses the same algorithm with the help of a key to decrypt the data, as shown in Figure 1.

Figure 1 Encryption and decryption

 

The keys that participate in the conversion between plain text and cipher text can be the same or different, dividing the encryption and decryption algorithms into the following types:

·     Symmetric key algorithm—The keys for encryption and decryption are the same.

·     Asymmetric key algorithm—The keys for encryption and decryption are different. One is the public key, and the other is the private key. The information encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the public key may be distributed widely. The private key cannot be practically derived from the public key. The device supports RSA and DSA asymmetric key algorithms.

The asymmetric key algorithms can be used for the following purposes:

·     To encrypt and decrypt data—Any public key receiver can use the public key to encrypt information, but only the private key owner can decrypt the information. This mechanism ensures confidentiality.

·     To authenticate a sender—Also called "digital signature." The key owner uses the private key to "sign" information to be sent, and the receiver decrypts the information with the sender's public key to verify information authenticity.

Asymmetric key algorithms are widely used in various applications. For example, SSH, SSL, and PKI use the algorithms for digital signature. For information about SSH, SSL, and PKI, see "Configuring SSH," "Configuring SSL," and "Configuring PKI."

Configuration task list 

Public key configuration tasks enable you to manage the local asymmetric key pairs and configure the peer host public keys on the local device. By completing these tasks, the local device is ready to work with applications such as SSH and SSL to implement data encryption/decryption, or digital signature.

Complete these tasks to configure public keys:

 

Task		Remarks
Configuring a local asymmetric key pair on the local device	Creating a local asymmetric key pair	Choose one or more tasks.
	Distributing a local host public key
	Destroying a local asymmetric key pair
Configuring a peer host public key

 

Creating a local asymmetric key pair

When you create a local key pair, follow these guidelines:

·     The key algorithm must be the same as required by the security application.

·     Enter an appropriate key modulus length at prompt (see Table 1).

·     The created key pairs are automatically saved and can survive system reboots.

Table 1 A comparison of different types of asymmetric key algorithms

Type	Number of key pairs	Modulus length
RSA	One server key pair and one host key pair. NOTE: Only SSH 1.5 uses the RSA server key pair.	·     In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. H3C recommends using 768 bits or longer. ·     In FIPS mode: 2048 bits.
DSA	One host key pair.	·     In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. H3C recommends using 768 bits or longer. ·     In FIPS mode: 2048 bits.

 

To create a local asymmetric key pair:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Create a local asymmetric key pair.	public-key local create { dsa | rsa }	By default, no asymmetric key pairs exist. If the type of key pair to be created already exists, the system asks you whether you want to overwrite the existing key pair.

 

Distributing a local host public key

You must distribute a local host public key to a peer device so the peer device can perform the following operations:

·     Use the public key to encrypt information sent to the local device.

·     Authenticate the digital signature signed by the local device.

To distribute a local host public key, you must first export or display the key.

·     Export a host public key:

¡     Export a host public to a file.

¡     Export a host public key to the monitor screen, and then save it to a file.

After the key is exported to a file, transfer the file to the peer device. On the peer device, import the key from the file.

·     Display a host public key.

After the key is displayed, record the key, for example, copy it to an unformatted file. On the peer device, you must literally enter the key.

Displaying a host public key

Task	Command	Remarks
Display the local RSA public keys.	display public-key local rsa public [ | { begin | exclude | include } regular-expression ]	Available in any view. Use at least one command.
Display the local DSA public keys.	display public-key local dsa public [ | { begin | exclude | include } regular-expression ]

 

	NOTE: Do not distribute the RSA server public key serverkey (default) to a peer device.

Exporting a host public key

When you export a host public key, follow these restrictions and guidelines:

·     If you specify a file name in the command, the command exports the key to the specified file.

·     If you do not specify a file name, the command exports the key to the monitor screen. You must manually save the exported key to a file.

To export a local host public key:

 

Step	Command
1.     Enter system view.	system-view
2.     Export a local host public key.	·     Export an RSA host public key: ¡     In non-FIPS mode: public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] ¡     In FIPS mode: public-key local export rsa { openssh | ssh2 } [ filename ] ·     Export a DSA host public key: public-key local export dsa { openssh | ssh2 } [ filename ]

 

Destroying a local asymmetric key pair

To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:

·     An intrusion event has occurred.

·     The storage media of the device is replaced.

·     The local certificate has expired.

For more information about local certificates, see "Configuring PKI."

To destroy a local asymmetric key pair:

 

Step	Command
1.     Enter system view.	system-view
2.     Destroy a local asymmetric key pair.	public-key local destroy { dsa| rsa }

 

Configuring a peer host public key

To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device.

You can configure the peer host public key by using the following methods:

·     Import the peer host public key form a public key file (recommended).

·     Manually enter (type or copy) the peer host public key.

Importing a peer host public key from a public key file

Before you perform this task, make sure you have exported the host public key to a file on the peer device and obtained the file from the peer device. For information about exporting a host public key, see "Exporting a host public key."

After you import the key, the system automatically converts the imported public key to a string in the Public Key Cryptography Standards (PKCS) format.

To import a peer host public key from a public key file:

 

Step	Command
1.     Enter system view.	system-view
2.     Import the host public key from the public key file.	public-key peer keyname import sshkey filename

 

Entering a peer host public key

Before you perform this task, make sure you have displayed the key on the peer device and recorded the key. For information about displaying a host public key, see "Displaying a host public key."

Use the display public-key local public command to display the public key on the peer device. The format of the public key displayed in any other way might be incorrect. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key.

Always import rather than enter the peer host public key if you are not sure that the device supports the format of the recorded peer host public key.

To enter a peer host public key:

 

Step	Command	Remarks
1.     Enter system view.	system-view	N/A
2.     Specify a name for the public key and enter public key view.	public-key peer keyname	N/A
3.     Enter public key code view.	public-key-code begin	N/A
4.     Configure the peer host public key.	Type or copy the key	Spaces and carriage returns are allowed between characters.
5.     Return to public key view.	public-key-code end	When you exit public key code view, the system automatically saves the public key.
6.     Return to system view.	peer-public-key end	N/A

 

Displaying public keys

Task	Command	Remarks
Display local public keys	display public-key local { dsa| rsa } public [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display peer host public keys.	display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ]	Available in any view.

 

Public key configuration examples

Manually specifying the peer host public key on the local device

Network requirements

As shown in Figure 2, to prevent illegal access, the AC authenticates the device (the peer device) through a digital signature. Before configuring authentication parameters on the device, configure the public key of the device on the AC.

·     Configure the AC to use the asymmetric key algorithm of RSA to authenticate the device.

·     Manually specify the host public key of the device's public key pair on the AC.

Figure 2 Network diagram

 

Configuration procedure

1.     Configure the device:

# Create local RSA key pairs on the device, setting the modulus length to the default, 1024 bits.

<Device> system-view

[Device] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++

++++++

++++++++

++++++++

# Display the public keys of the local RSA key pairs.

[Device] display public-key local rsa public

 

=====================================================

Time of Key pair created: 09:50:06  2007/08/07

Key name: HOST_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

 

=====================================================

Time of Key pair created: 09:50:07  2007/08/07

Key name: SERVER_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001

2.     Configure the AC:

# Configure the host public key of the device's RSA key pairs on the AC. In public key code view, enter the host public key of the device. The host public key is the content of HOST_KEY displayed on the device by using the display public-key local rsa public command.

<AC> system-view

[AC] public-key peer device

Public key view: return to System View with "peer-public-key end".

[AC-pkey-public-key] public-key-code begin

Public key code view: return to last view with "public-key-code end".

[AC-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

[AC-pkey-key-code] public-key-code end

[AC-pkey-public-key] peer-public-key end

# Display the host public key of the device saved on the AC.

[AC] display public-key peer name device

 

=====================================

  Key Name  : device

  Key Type  : RSA

  Key Module: 1024

=====================================

Key Code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

The output shows that the host public key of the device saved on the AC is consistent with the one created on the device.

Importing a public key from a public key file

Network requirements

As shown in Figure 3, to prevent illegal access, the AC (the local device) authenticates the device (the peer device) through a digital signature. Before configuring authentication parameters on the device, configure the public key of the device on the AC

·     Configure the AC to use the asymmetric key algorithm of RSA to authenticate Device A.

·     Import the host public key of the device from the public key file to the AC.

Figure 3 Network diagram

 

Configuration procedure

1.     Create key pairs on the device and export the host public key:

# Create local RSA key pairs on the device, setting the modulus length to the default, 1024 bits.

<Device> system-view

[Device] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++

++++++

++++++++

++++++++

# Display the public keys of the local RSA key pairs.

[Device] display public-key local rsa public

 

=====================================================

Time of Key pair created: 09:50:06  2007/08/07

Key name: HOST_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

 

=====================================================

Time of Key pair created: 09:50:07  2007/08/07

Key name: SERVER_KEY

Key type: RSA Encryption Key

=====================================================

Key code:

307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB6158E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001

# Export the RSA host public key HOST_KEY to a file named device.pub.

[Device] public-key local export rsa ssh2 device.pub

2.     Enable the FTP server function on the device:

# Enable the FTP server function, and create an FTP user with the username ftp, password 123, and user level 3. This user level makes sure the user has the permission to perform FTP operations.

[Device] ftp server enable

[Device] local-user ftp

[Device-luser-ftp] password simple 123

[Device-luser-ftp] service-type ftp

[Device-luser-ftp] authorization-attribute level 3

[Device-luser-ftp] quit

3.     On the AC, get the public key file of the device:

# From the AC, use FTP to log in to the device, and get the public key file device.pub with the file transfer mode of binary.

<AC> ftp 10.1.1.1

Trying 10.1.1.1 ...

Press CTRL+K to abort

Connected to 10.1.1.1.

220 FTP service ready.

User(10.1.1.1:(none)):ftp

331 Password required for ftp.

Password:

230 User logged in.

[ftp] binary

200 Type set to I.

[ftp] get device.pub

227 Entering Passive Mode (10,1,1,1,5,148).

125 BINARY mode data connection already open, transfer starting for /device.pub.

226 Transfer complete.

FTP: 299 byte(s) received in 0.189 second(s), 1.00Kbyte(s)/sec.

[ftp] quit

221 Server closing.

4.     Import the host public key of the device to the AC:

# Import the host public key of the device from the key file device.pub to the AC.

<AC> system-view

[AC] public-key peer device import sshkey device.pub

# Display the host public key of the device on the AC.

[AC] display public-key peer name device

 

=====================================

  Key Name  : device

  Key Type  : RSA

  Key Module: 1024

=====================================

Key Code:

30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001

The output shows that the host public key of the device saved on the AC is consistent with the one created on the device.