Login
- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Public Key Configuration | 110.68 KB |
Asymmetric key algorithm overview
Asymmetric key algorithm applications
Configuring the local asymmetric key pair
Creating an asymmetric key pair
Displaying or exporting the local RSA or DSA host public key
Destroying an asymmetric key pair
Configuring a remote host's public key
Displaying and maintaining public keys
Public key configuration examples
Configuring a remote host's public key manually
Importing a remote host's public key from a public key file
This chapter includes these sections:
· Asymmetric key algorithm overview
· Configuring the local asymmetric key pair
· Configuring a remote host's public key
· Displaying and maintaining public keys
· Public key configuration examples
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
Asymmetric key algorithm overview
Basic concepts
· Algorithm: A set of transformation rules for encryption and decryption.
· Plain text: Information without being encrypted.
· Cipher text: Encrypted information.
· Key: A string of characters that controls the transformation between plain text and cipher text. It is used in both the encryption and decryption.
Key algorithm types
As shown in Figure 1, the information in plain text is encrypted by an algorithm with the help of a key before being sent. The resulting cipher text is transmitted across the network to the receiver, where it is decrypted by the same algorithm also with the help of a key to obtain the original plain text.
Figure 1 Encryption and decryption
The following types of key algorithms are available, based on whether the keys for encryption and decryption are the same:
· Symmetric key algorithm—The keys for encryption and decryption are the same. Commonly used symmetric key algorithms include Advanced Encryption Standard (AES) and Data Encryption Standard (DES).
· Asymmetric key algorithm—The keys for encryption and decryption are different, one is the public key, and the other is the private key. The information encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the public key may be distributed widely. The private key cannot be practically derived from the public key.
Asymmetric key algorithm applications
Asymmetric key algorithms can be used for encryption/decryption and digital signature.
· Encryption/decryption—the sender uses the public key of the intended receiver to encrypt the information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt the information. This mechanism ensures confidentiality.
· Digital signature—the sender "signs" the information to be sent by encrypting the information with its own private key. A receiver decrypts the information with the sender's public key and, based on whether the information can be decrypted, determines the authenticity of the information.
The Revest-Shamir-Adleman Algorithm (RSA) and the Digital Signature Algorithm (DSA) are asymmetric key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA is used for signature only.
Configuring the local asymmetric key pair
You can create and destroy a local asymmetric key pair, and export the host public key of a local asymmetric key pair.
Creating an asymmetric key pair
Follow these steps to create an asymmetric key pair:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a local DSA key pair, or RSA key pairs |
public-key local create { dsa | rsa } |
Required By default, no key pair is created. |
The public-key local create rsa command generates two key pairs: one server key pair and one host key pair. Each key pair comprises a public key and a private key. The public-key local create dsa command generates only one key pair, the host key pair.
After you enter the command, you are asked to specify the modulus length. The length of an RAS or DSA key modulus ranges from 512 to 2048 bits. To achieve higher security, specify a modulus at least 768 bits.
|
|
NOTE: Key pairs created with the public-key local create command are saved automatically and can survive system reboots. |
Displaying or exporting the local RSA or DSA host public key
Display the local RSA or DSA host public key on the screen or export it to a specified file. Then, you can configure the local RSA or DSA host public key on the remote end so that the remote end can use the host public key to authenticate the local end through digital signature.
Follow these steps to display or export the local RSA or DSA host public key:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Display the local RSA host public key on the screen in a specified format, or export it to a specified file |
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] |
Select a command according to the type of the key to be exported. |
|
Display the local DSA host public key on the screen in a specified format or export it to a specified file |
public-key local export dsa { openssh | ssh2 } [ filename ] |
Destroying an asymmetric key pair
You may need to destroy an asymmetric key pair and generate a new pair when an intrusion event has occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time, or the certificate from the Certificate Authority (CA) expires. To check the certificate status, use the display pki certificate command. For more information about the CA and certificate, see the chapter “PKI configuration.”
Follow these steps to destroy an asymmetric key pair:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Destroy an asymmetric key pair |
public-key local destroy { dsa | rsa } |
Required |
Configuring a remote host's public key
To enable your local host to authenticate a remote host, configure the remote host's RSA or DSA public key on the local host. The following methods are available:
· Import it from a public key file—Obtain a copy of the remote host's public key file through FTP or TFTP (in binary mode) first, and then import the public key from the file. During the import process, the system automatically converts the public key to a string in PKCS (Public Key Cryptography Standards) format. H3C recommends that you follow this method to configure the remote host's public key.
· Configure it manually—If the remote host is an H3C device, you can use the display public-key local public command to view and record its public key. On the local host, input or copy the key data in public key code view. A public key displayed by other methods may not in the PKCS format, and the system cannot save the format-incompliant key.
|
|
NOTE: The device supports up to 20 pubic keys of remote hosts. |
Follow these steps to import a remote host's host public key from the public key file:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Import the host public key of a remote host from the public key file |
public-key peer keyname import sshkey filename |
Required |
Follow these steps to configure a remote host's public key manually:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify a name for a remote host's public key and enter public key view |
public-key peer keyname |
Required |
|
Enter public key code view |
public-key-code begin |
— |
|
Configure the server or host public key of the remote host |
Type or copy the key |
Required Spaces and carriage returns are allowed between characters. |
|
Return to public key view |
public-key-code end |
Required When you exit public key code view, the system automatically saves the public key. |
|
Return to system view |
peer-public-key end |
— |
|
|
NOTE: Do not configure an RSA server public key of the remote host for identity authentication in SSH applications. Authentication in SSH applications uses the RSA host public key. For more information about SSH, see the chapter “SSH2.0 configuration.” |
Displaying and maintaining public keys
|
To do… |
Use the command… |
Remarks |
|
Display the public keys of the local key pairs |
display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the public keys of the remote hosts |
display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ] |
Public key configuration examples
Configuring a remote host's public key manually
Network requirements
As shown in Figure 2, to prevent illegal access, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
· Configure Device B to use the asymmetric key algorithm of RSA for identity authentication of Device A.
· Manually configure the host public key of Device A on Device B.
Figure 2 Network diagram for manually configuring a remote host's public key
Configuration procedure
1. Configure Device A
# Create RSA key pairs on Device A.
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the created RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2007/08/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F
9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C
669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2B
AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
=====================================================
Time of Key pair created: 09:50:07 2007/08/07
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB61
58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3
CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001
2. Configure Device B
# Configure the host public key of Device A on Device B. In public key code view, input the host public key of Device A. The host public key is the content of HOST_KEY displayed on Device A using the display public-key local dsa public command.
<DeviceB> system-view
[DeviceB] public-key peer devicea
Public key view: return to System View with "peer-public-key end".
[DeviceB-pkey-public-key] public-key-code begin
Public key code view: return to last view with "public-key-code end".
[DeviceB-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100D900
03FA95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E
353B3A9AB16C9E766BD995C669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB12
5035EA326470034DC078B2BAA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A1020
3010001
[DeviceB-pkey-key-code] public-key-code end
[DeviceB-pkey-public-key] peer-public-key end
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F
9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C
669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2B
AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
Importing a remote host's public key from a public key file
Network requirements
As shown in Figure 3, to prevent illegal access, Device B authenticates Device A through a digital signature. Before configuring authentication parameters on Device B, configure the public key of Device A on Device B.
· Configure Device B to use the asymmetric key algorithm of RSA for identity authentication of Device A.
· Import the host public key of Device A from the public key file to Device B.
Figure 3 Network diagram for importing a remote host's public key from a public key file
Configuration procedure
1. Create key pairs on Device A and export the host public key
# Create RSA key pairs on Device A.
<DeviceA> system-view
[DeviceA] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++
++++++
++++++++
++++++++
# Display the public keys of the created RSA key pairs.
[DeviceA] display public-key local rsa public
=====================================================
Time of Key pair created: 09:50:06 2007/08/07
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F
9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C
669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2B
AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
=====================================================
Time of Key pair created: 09:50:07 2007/08/07
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100999089E7AEE9802002D9EB2D0433B87BB61
58E35000AFB3FF310E42F109829D65BF70F7712507BE1A3E0BC5C2C03FAAF00DFDDC63D004B4490DACBA3
CFA9E84B9151BDC7EECE1C8770D961557D192DE2B36CAF9974B7B293363BB372771C2C1F0203010001
# Export the RSA host public key to a file named devicea.pub.
[DeviceA] public-key local export rsa ssh2 devicea.pub
[DeviceA] quit
2. Enable the FTP server function on Device B
# Enable the FTP server function, create an FTP user with the username ftp, password 123, and user level 3.
<DeviceB> system-view
[DeviceB] ftp server enable
[DeviceB] local-user ftp
[DeviceB-luser-ftp] password simple 123
[DeviceB-luser-ftp] service-type ftp
[DeviceB-luser-ftp] authorization-attribute level 3
[DeviceB-luser-ftp] quit
3. Upload the public key file of Device A to Device B
# FTP the public key file devicea.pub to Device B with the file transfer mode of binary.
<DeviceA> ftp 10.1.1.2
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2.
220 FTP service ready.
User(10.1.1.2:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
[ftp] binary
200 Type set to I.
[ftp] put devicea.pub
227 Entering Passive Mode (10,1,1,2,5,148).
125 BINARY mode data connection already open, transfer starting for /devicea.pub.
226 Transfer complete.
FTP: 299 byte(s) sent in 0.189 second(s), 1.00Kbyte(s)/sec.
4. Import the host public key of Device A to Device B
# Import the host public key of Device A from the key file devicea.pub to Device B.
[DeviceB] public-key peer devicea import sshkey devicea.pub
# Display the host public key of Device A saved on Device B.
[DeviceB] display public-key peer name devicea
=====================================
Key Name : devicea
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100D90003FA95F5A44A2A2CD3F814F
9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C
669A784AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2B
AA3BC3BCA80AAB5EE01986BD1EF64B42F17CCAE4A77F1EF999B2BF9C4A10203010001
