Guys got the answer :-)
Snippet from
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_c2g.html#wp1104892
------------------------------
*Note *Secure Shell (SSH) may generate an additional RSA key pair if you
generate a key pair on a router having no RSA keys. The additional key pair
is used only by SSH and will have a name such as {*router_FQDN*}.server. For
example, if a router name is "router1.cisco.com," the key name is
"router1.cisco.com.server."
------------------------------
This command is not saved in the router configuration; however, the RSA keys
generated by this command are saved in the private configuration in NVRAM
(which is never displayed to the user or backed up to another device) the
next time the configuration is written to NVRAM.
------------------------------
*Note *If the configuration is not saved to NVRAM, the generated keys are
lost on the next reload of the router.
------------------------------
There are two mutually exclusive types of RSA key pairs: special-usage keys
and general-purpose keys. When you generate RSA key pairs, you will be
prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated.
One pair will be used with any Internet Key Exchange (IKE) policy that
specifies RSA signatures as the authentication method, and the other pair
will be used with any IKE policy that specifies RSA encrypted keys as the
authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA
signatures, not with IKE policies specifying RSA-encrypted nonces. (However,
you could specify more than one IKE policy and have RSA signatures specified
in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE
policies, you may prefer to generate special-usage keys. With special-usage
keys, each key is not unnecessarily exposed. (Without special-usage keys,
one key is used for both authentication methods, increasing the exposure of
that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be
generated. This pair will be used with IKE policies specifying either RSA
signatures or RSA encrypted keys. Therefore, a general-purpose key pair
might get used more frequently than a special-usage key pair.
*That clarifies everything, I love happy endings :-)*
With regards
Kings
On Thu, Sep 16, 2010 at 12:22 PM, Kingsley Charles <
[email protected]> wrote:
> This might be a clue, when you try to associate a rsa key to trustpoint,
> the options says either general purpose of signature key
>
>
>
> router5(config)#crypto pki trustpoint cisco
> router5(ca-trustpoint)#rsakeypair cisco ?
> <360-2048> *General Purpose or Signature Key length*
>
>
>
> Which means signature key is never used for IPSec. This also can be an
> answer.
>
>
> On Thu, Sep 16, 2010 at 12:13 PM, Kingsley Charles <
> [email protected]> wrote:
>
>> Hi Tacack/Ian
>>
>> Thanks for your response.
>>
>> I think, we three have variations in our answer but if we ourselves
>> together, we will get the correct answer :-)
>>
>>
>>
>> 1. The IPsec peer sends the certificate request in PKCS#10 along with
>> it's public keys encrypted using the CA's public key that it got from the
>> CA
>> certificate.
>> 2. The CA server decrypts the request using it's own private key.
>> 3. Sends back a X.509 certificate along with a signature and the
>> peer's public key.
>> 4. The signature is a hash of the peer's public key and other values
>> in request after which it is encrypted using CA's private key.
>> 5. The peer get's it's certificate from the CA server.
>> 6. During IPSec negotiation, the peer sends it's cert to the remote
>> peer.
>> 7. The remote peer using the CA's public key from the CA certificate
>> which is used to decrypt the signature. Both the peer should have enrolled
>> with same CA.
>> 8. Remote peer get's the hash value after decryption using CA pub key.
>>
>> 9. The remote peer generates hash from the details it from the peer
>> and compares the hash.
>> 10. If they are the same, then authentication suceeds.
>>
>>
>>
>>
>>
>> Either you can have the following on the IPSec peers
>>
>>
>>
>> - Cert used for encrytion
>> - Cert used for signature
>> - RSA keys for encryption
>> - RSA keys for signature
>>
>>
>>
>> or
>>
>>
>>
>> - Cert for general purpose (both encryption and signature)
>> - RSA keys for general purpose (both encryption and signature)
>>
>>
>>
>>
>>
>>
>>
>> The certificate that is sent to the remote IPSec peers has a public key.
>> Now that public key in the cert can used for encryption and signature for
>> 2nd case
>>
>> while in the first case, you have two certs one having public key for both
>> encryption and other for signature.
>>
>>
>>
>> The IPSec encryption happens with SKEYID_d that was obtained using the
>> shared secret from DH.
>>
>> Hence the only encryption function of the public key from the cert is for
>> encrypting msg 5 and 6. Either general purpose key or the encryption key is
>>
>> used for encryption. The private key on the peer is used for decrypting
>> the messages 5 and 6. Also the other place where the encryption is used is
>>
>> when sending cert request to the CA server
>>
>>
>> Ok what's the purpose of signature key of the peers which is available
>> in the signature cert?
>>
>>
>>
>>
>>
>> The signature is encrypted by the CA public key not the peer's pub key. I
>> need to know what is the purpose of signature cert and signature keys.
>>
>>
>>
>>
>> With regards
>> Kings
>>
>>
>> On Wed, Sep 15, 2010 at 10:26 PM, Ian McGowan <[email protected]>wrote:
>>
>>> Okay I'll hit reply all this time, sorry Vybhav :-)
>>>
>>>
>>> Hi Kings,
>>>
>>> RSA is used for encryption on IKE Phase 1 when the ISAKMP policy is set
>>> to rsa-sig. The initiator takes a hash of a block data and
>>> then encrypts it, the other end can then decrypt it and compare the hashes.
>>> If exact, the peer is authenticated. When it moves to Phase 2 the
>>> encryption algorithm specified in the transform set is used. This
>>> encryption algorithm in the transform set will be a
>>> form symmetric encryption which is computationally much faster
>>> than asymmetric encryption (ie RSA). The overhead of asymmetric is accepted
>>> on IKE phase 1 for authentication but for passing traffic asymmetric
>>> encryption is too slow so we must symmetric such as 3DES or AES. Asymmetric
>>> being more secure, we can generate very strong Key Encyption Keys (KEK's) in
>>> the phase 1 tunnel and share them with our peer across the tunnel to raise
>>> the security of the symmetric encryption algorithm.
>>>
>>> "My question is in IOS and ASA, is RSA keys or shared secret used for
>>> encryption/decryption."
>>> **This depends on what you have set the ISAKMP policy to be. Phase 2 is
>>> always symmetric.
>>>
>>> As for what the signature keys and encryption keys are used for,
>>> I believe signature for IKE Phase 1 and I'm not actually sure what the
>>> encryption keys are used for....??
>>>
>>> Hope that helps,
>>>
>>> Ian
>>>
>>>
>>>
>>> On Wed, Sep 15, 2010 at 3:11 PM, Kingsley Charles <
>>> [email protected]> wrote:
>>>
>>>> When we generate encryption and signature keys separately and use it
>>>> with trustpoint, we get two certs - encryption and signature cert. If
>>>> signature cert is
>>>> used for authenticating with the peer then please let me know what is
>>>> the purpose of encryption cert? Is it used for encrypting data?
>>>>
>>>>
>>>> With regards
>>>> Kings
>>>>
>>>>
>>>>
>>>> On Wed, Sep 15, 2010 at 12:34 PM, Kingsley Charles <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi all
>>>>>
>>>>> When using Digital certificates, are the private/public key of the
>>>>> device peering used for encrypting/decrypting the data or the shared
>>>>> secret
>>>>> key used as done when using pre-shared keys.
>>>>> Most places, I read that the rsa keys are used for encryption and
>>>>> decryption.
>>>>>
>>>>> I have also read that rsa keys are not used because during bulk data
>>>>> encryption/decryption they don't scale well.
>>>>>
>>>>>
>>>>> My question is in IOS and ASA, is RSA keys or shared secret used for
>>>>> encryption/decryption.
>>>>>
>>>>>
>>>>> With regards
>>>>> Kings
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
