1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

RSA Encrypted Nonces Overview

RSA Encrypted Nonces Overview

The RSA-encrypted nonces authentication method uses the RSA-encryption public key cryptography algorithm. This technology requires each party to generate a pseudorandom number (a nonce) and encrypt it (and possibly other publicly and privately available information), using the other party’s RSA public key. Authentication occurs when each party decrypts the other party’s nonce with their local private key, and then uses the decrypted nonce to compute a keyed hash.

The major drawback to implementing this technology is it’s somewhat difficult to configure and, therefore, more difficult to scale to a large number of VPN peers. RSA-encrypted nonces require peers to possess each other’s public keys, but they don’t use a CA. Two methods can be used for peers to get each others’ public keys:

  • Manually configure and exchange RSA keys

  • Use the RSA signatures used previously during a successful ISAKMP negotiation with the remote peer

Another potential drawback to this authentication method is this: either side of the exchange can plausibly deny they took part in the exchange. Cisco IOS software is the only Cisco product that supports this authentication method. Figure 11-6 shows a RSA-encryption authentication exchange.

Click To expand
Figure 11-6: RSA-encryption authentication exchange

This section provides a short overview of configuring IPSec using RSA-encrypted nonces. Only those tasks and steps that are unique to RSA-encrypted nonces are presented. Configuring RSA encryption is similar to preshared keys and CA support. It’s introduced using the same outline with commands introduced when those technologies were covered in Chapter 10 and earlier in this chapter. The following are the major tasks for configuring RSA-encrypted nonces:

  • Task 1 Prepare for IKE and IPSec

  • Task 2 Configure RSA keys manually

  • Task 3 Configure IKE for IPSec to select RSA encryption

  • Task 4 Configure IPSec (typically, the same as preshare keys)

  • Task 5 Test and verify IPSec

Task 2—Configure RSA Keys

The steps and commands used in Task 2 are included in the following items. While this display is intended to demonstrate the similarities to technologies already covered, a thorough coverage of the tasks and steps to configure RSA-encrypted nonces can be found in the Cisco IOS Security Configuration Guide online.

Configuring RSA keys involves the following six steps:

  • Step 2–1 Plan for RSA keys.

  • Step 2–2 Configure the router’s host name and domain name.

    hostname

    ip domain-name

  • Step 2–3 Generate the RSA keys.

    crypto key generate rsa usage-keys

  • Step 2–4 Enter peer RSA public keys.

    crypto key pubkey-chain rsa

    addressed-key ip-addr

    named-key name

  • Step 2–5 Verify the key configuration.

    show crypto key mypubkey rsa

    show crypto key pubkey-chain rsa

  • Step 2–6 Manage RSA keys—Remove old keys.

    crypto key zeroize rsa




BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Part III: Virtual Private Networks (VPNs)
Chapter 9: Cisco IOS IPSec Introduction
Chapter 10: Cisco IOS IPSec for Preshared Keys
Chapter 11: Cisco IOS IPSec Certificate Authority Support
CA Support Overview
Configure CA Support Tasks
RSA Encrypted Nonces Overview
Chapter Review
Chapter 12: Cisco IOS Remote Access Using Cisco Easy VPN
Chapter 13: Cisco VPN Hardware Overview
Chapter 14: Cisco VPN 3000 Remote Access Networks
Chapter 15: Configuring Cisco VPN 3002 Remote Clients
Chapter 16: Cisco VPN 3000 LAN-to-LAN Networks
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars