The RSA-encrypted nonces authentication method uses the RSA-encryption public key cryptography algorithm. This technology requires each party to generate a pseudorandom number (a nonce) and encrypt it (and possibly other publicly and privately available information), using the other party’s RSA public key. Authentication occurs when each party decrypts the other party’s nonce with their local private key, and then uses the decrypted nonce to compute a keyed hash.
The major drawback to implementing this technology is it’s somewhat difficult to configure and, therefore, more difficult to scale to a large number of VPN peers. RSA-encrypted nonces require peers to possess each other’s public keys, but they don’t use a CA. Two methods can be used for peers to get each others’ public keys:
Manually configure and exchange RSA keys
Use the RSA signatures used previously during a successful ISAKMP negotiation with the remote peer
Another potential drawback to this authentication method is this: either side of the exchange can plausibly deny they took part in the exchange. Cisco IOS software is the only Cisco product that supports this authentication method. Figure 11-6 shows a RSA-encryption authentication exchange.
This section provides a short overview of configuring IPSec using RSA-encrypted nonces. Only those tasks and steps that are unique to RSA-encrypted nonces are presented. Configuring RSA encryption is similar to preshared keys and CA support. It’s introduced using the same outline with commands introduced when those technologies were covered in Chapter 10 and earlier in this chapter. The following are the major tasks for configuring RSA-encrypted nonces:
Task 1 Prepare for IKE and IPSec
Task 2 Configure RSA keys manually
Task 3 Configure IKE for IPSec to select RSA encryption
Task 4 Configure IPSec (typically, the same as preshare keys)
Task 5 Test and verify IPSec
The steps and commands used in Task 2 are included in the following items. While this display is intended to demonstrate the similarities to technologies already covered, a thorough coverage of the tasks and steps to configure RSA-encrypted nonces can be found in the Cisco IOS Security Configuration Guide online.
Configuring RSA keys involves the following six steps:
Step 2–1 Plan for RSA keys.
Step 2–2 Configure the router’s host name and domain name.
Step 2–3 Generate the RSA keys.
crypto key generate rsa usage-keys
Step 2–4 Enter peer RSA public keys.
crypto key pubkey-chain rsa
Step 2–5 Verify the key configuration.
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
Step 2–6 Manage RSA keys—Remove old keys.
crypto key zeroize rsa