Cisco 7604 Configuration Guide - Page 218
Certificate Scalability, About Key Pairs
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 218 highlights
Public Key Cryptography Chapter 12 Configuring Certificates Obtaining the public key of a sender is normally handled out-of-band or through an operation performed at installation. For example, most web browsers are configured with the root certificates of several CAs by default. For VPN, the IKE protocol, a component of IPSec, can use digital signatures to authenticate peer devices before setting up security associations. Certificate Scalability Without digital certificates, you must manually configure each IPSec peer for every peer with which it communicates, and every new peer you add to a network would then require a configuration change on every peer with which you need it to communicate securely. When you use digital certificates, each peer is enrolled with a CA. When two peers try to communicate, they exchange certificates and digitally sign data to authenticate each other. When a new peer is added to the network, you enroll that peer with a CA and no other peers need modification. When the new peer tries an IPSec connection, certificates are automatically exchanged and the peer can be authenticated. With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography. Each peer sends its unique certificate that was issued by the CA. This process works because each certificate encapsulates the public key for the associated peer, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority. This is called IKE with an RSA signature. The peer can continue sending its certificate for multiple IPSec sessions, and to multiple IPSec peers, until the certificate expires. When its certificate expires, the peer administrator must obtain a new one from the CA. CAs can also revoke certificates for peers that no longer participate in IPSec. Revoked certificates are not recognized as valid by other peers. Revoked certificates are listed in a CRL, which each peer may check before accepting a certificate from another peer. Some CAs have an RA as part of their implementation. An RA is a server that acts as a proxy for the CA so that CA functions can continue when the CA is unavailable. About Key Pairs Key pairs are RSA keys, which can be used for SSH or SSL connections, have the following characteristics: • For the purposes of generating keys, the maximum key modulus for RSA keys is 2048 bits. The default size is 1024 bits. Many SSL connections using identity certificates with RSA key pairs that exceed 1024 bits can cause a high CPU usage on the FWSM and rejected clientless logins. • For signature operations, the supported maximum key size is 4096 bits. • You can generate a general-purpose RSA key pair, used for both signing and encryption, or you can generate separate RSA key pairs for each purpose. Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01