Hi Tacack/Ian Thanks for your response.
I think, we three have variations in our answer but if we ourselves together, we will get the correct answer :-) 1. The IPsec peer sends the certificate request in PKCS#10 along with it's public keys encrypted using the CA's public key that it got from the CA certificate. 2. The CA server decrypts the request using it's own private key. 3. Sends back a X.509 certificate along with a signature and the peer's public key. 4. The signature is a hash of the peer's public key and other values in request after which it is encrypted using CA's private key. 5. The peer get's it's certificate from the CA server. 6. During IPSec negotiation, the peer sends it's cert to the remote peer. 7. The remote peer using the CA's public key from the CA certificate which is used to decrypt the signature. Both the peer should have enrolled with same CA. 8. Remote peer get's the hash value after decryption using CA pub key. 9. The remote peer generates hash from the details it from the peer and compares the hash. 10. If they are the same, then authentication suceeds. Either you can have the following on the IPSec peers - Cert used for encrytion - Cert used for signature - RSA keys for encryption - RSA keys for signature or - Cert for general purpose (both encryption and signature) - RSA keys for general purpose (both encryption and signature) The certificate that is sent to the remote IPSec peers has a public key. Now that public key in the cert can used for encryption and signature for 2nd case while in the first case, you have two certs one having public key for both encryption and other for signature. The IPSec encryption happens with SKEYID_d that was obtained using the shared secret from DH. Hence the only encryption function of the public key from the cert is for encrypting msg 5 and 6. Either general purpose key or the encryption key is used for encryption. The private key on the peer is used for decrypting the messages 5 and 6. Also the other place where the encryption is used is when sending cert request to the CA server Ok what's the purpose of signature key of the peers which is available in the signature cert? The signature is encrypted by the CA public key not the peer's pub key. I need to know what is the purpose of signature cert and signature keys. With regards Kings On Wed, Sep 15, 2010 at 10:26 PM, Ian McGowan <[email protected]> wrote: > Okay I'll hit reply all this time, sorry Vybhav :-) > > > Hi Kings, > > RSA is used for encryption on IKE Phase 1 when the ISAKMP policy is set to > rsa-sig. The initiator takes a hash of a block data and then encrypts it, > the other end can then decrypt it and compare the hashes. If exact, the > peer is authenticated. When it moves to Phase 2 the > encryption algorithm specified in the transform set is used. This > encryption algorithm in the transform set will be a > form symmetric encryption which is computationally much faster > than asymmetric encryption (ie RSA). The overhead of asymmetric is accepted > on IKE phase 1 for authentication but for passing traffic asymmetric > encryption is too slow so we must symmetric such as 3DES or AES. Asymmetric > being more secure, we can generate very strong Key Encyption Keys (KEK's) in > the phase 1 tunnel and share them with our peer across the tunnel to raise > the security of the symmetric encryption algorithm. > > "My question is in IOS and ASA, is RSA keys or shared secret used for > encryption/decryption." > **This depends on what you have set the ISAKMP policy to be. Phase 2 is > always symmetric. > > As for what the signature keys and encryption keys are used for, > I believe signature for IKE Phase 1 and I'm not actually sure what the > encryption keys are used for....?? > > Hope that helps, > > Ian > > > > On Wed, Sep 15, 2010 at 3:11 PM, Kingsley Charles < > [email protected]> wrote: > >> When we generate encryption and signature keys separately and use it with >> trustpoint, we get two certs - encryption and signature cert. If signature >> cert is >> used for authenticating with the peer then please let me know what is the >> purpose of encryption cert? Is it used for encrypting data? >> >> >> With regards >> Kings >> >> >> >> On Wed, Sep 15, 2010 at 12:34 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> When using Digital certificates, are the private/public key of the device >>> peering used for encrypting/decrypting the data or the shared secret key >>> used as done when using pre-shared keys. >>> Most places, I read that the rsa keys are used for encryption and >>> decryption. >>> >>> I have also read that rsa keys are not used because during bulk data >>> encryption/decryption they don't scale well. >>> >>> >>> My question is in IOS and ASA, is RSA keys or shared secret used for >>> encryption/decryption. >>> >>> >>> With regards >>> Kings >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
