This might be a clue, when you try to associate a rsa key to trustpoint, the options says either general purpose of signature key
router5(config)#crypto pki trustpoint cisco router5(ca-trustpoint)#rsakeypair cisco ? <360-2048> *General Purpose or Signature Key length* Which means signature key is never used for IPSec. This also can be an answer. On Thu, Sep 16, 2010 at 12:13 PM, Kingsley Charles < [email protected]> wrote: > Hi Tacack/Ian > > Thanks for your response. > > I think, we three have variations in our answer but if we ourselves > together, we will get the correct answer :-) > > > > 1. The IPsec peer sends the certificate request in PKCS#10 along with > it's public keys encrypted using the CA's public key that it got from the > CA > certificate. > 2. The CA server decrypts the request using it's own private key. > 3. Sends back a X.509 certificate along with a signature and the peer's > public key. > 4. The signature is a hash of the peer's public key and other values in > request after which it is encrypted using CA's private key. > 5. The peer get's it's certificate from the CA server. > 6. During IPSec negotiation, the peer sends it's cert to the remote > peer. > 7. The remote peer using the CA's public key from the CA certificate > which is used to decrypt the signature. Both the peer should have enrolled > with same CA. > 8. Remote peer get's the hash value after decryption using CA pub key. > 9. The remote peer generates hash from the details it from the peer and > compares the hash. > 10. If they are the same, then authentication suceeds. > > > > > > Either you can have the following on the IPSec peers > > > > - Cert used for encrytion > - Cert used for signature > - RSA keys for encryption > - RSA keys for signature > > > > or > > > > - Cert for general purpose (both encryption and signature) > - RSA keys for general purpose (both encryption and signature) > > > > > > > > The certificate that is sent to the remote IPSec peers has a public key. > Now that public key in the cert can used for encryption and signature for > 2nd case > > while in the first case, you have two certs one having public key for both > encryption and other for signature. > > > > The IPSec encryption happens with SKEYID_d that was obtained using the > shared secret from DH. > > Hence the only encryption function of the public key from the cert is for > encrypting msg 5 and 6. Either general purpose key or the encryption key is > > used for encryption. The private key on the peer is used for decrypting the > messages 5 and 6. Also the other place where the encryption is used is > > when sending cert request to the CA server > > > Ok what's the purpose of signature key of the peers which is available in > the signature cert? > > > > > > The signature is encrypted by the CA public key not the peer's pub key. I > need to know what is the purpose of signature cert and signature keys. > > > > > With regards > Kings > > > On Wed, Sep 15, 2010 at 10:26 PM, Ian McGowan <[email protected]>wrote: > >> Okay I'll hit reply all this time, sorry Vybhav :-) >> >> >> Hi Kings, >> >> RSA is used for encryption on IKE Phase 1 when the ISAKMP policy is set to >> rsa-sig. The initiator takes a hash of a block data and then encrypts it, >> the other end can then decrypt it and compare the hashes. If exact, the >> peer is authenticated. When it moves to Phase 2 the >> encryption algorithm specified in the transform set is used. This >> encryption algorithm in the transform set will be a >> form symmetric encryption which is computationally much faster >> than asymmetric encryption (ie RSA). The overhead of asymmetric is accepted >> on IKE phase 1 for authentication but for passing traffic asymmetric >> encryption is too slow so we must symmetric such as 3DES or AES. Asymmetric >> being more secure, we can generate very strong Key Encyption Keys (KEK's) in >> the phase 1 tunnel and share them with our peer across the tunnel to raise >> the security of the symmetric encryption algorithm. >> >> "My question is in IOS and ASA, is RSA keys or shared secret used for >> encryption/decryption." >> **This depends on what you have set the ISAKMP policy to be. Phase 2 is >> always symmetric. >> >> As for what the signature keys and encryption keys are used for, >> I believe signature for IKE Phase 1 and I'm not actually sure what the >> encryption keys are used for....?? >> >> Hope that helps, >> >> Ian >> >> >> >> On Wed, Sep 15, 2010 at 3:11 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> When we generate encryption and signature keys separately and use it with >>> trustpoint, we get two certs - encryption and signature cert. If signature >>> cert is >>> used for authenticating with the peer then please let me know what is the >>> purpose of encryption cert? Is it used for encrypting data? >>> >>> >>> With regards >>> Kings >>> >>> >>> >>> On Wed, Sep 15, 2010 at 12:34 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Hi all >>>> >>>> When using Digital certificates, are the private/public key of the >>>> device peering used for encrypting/decrypting the data or the shared secret >>>> key used as done when using pre-shared keys. >>>> Most places, I read that the rsa keys are used for encryption and >>>> decryption. >>>> >>>> I have also read that rsa keys are not used because during bulk data >>>> encryption/decryption they don't scale well. >>>> >>>> >>>> My question is in IOS and ASA, is RSA keys or shared secret used for >>>> encryption/decryption. >>>> >>>> >>>> With regards >>>> Kings >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
