RSA Encrypted Nonces Overview

RSA Encrypted Nonces Overview

The RSA-encrypted nonces authentication method uses the RSA-encryption public key cryptography algorithm. This technology requires each party to generate a pseudorandom number (a nonce) and encrypt it (and possibly other publicly and privately available information), using the other party’s RSA public key. Authentication occurs when each party decrypts the other party’s nonce with their local private key, and then uses the decrypted nonce to compute a keyed hash.

The major drawback to implementing this technology is it’s somewhat difficult to configure and, therefore, more difficult to scale to a large number of VPN peers. RSA-encrypted nonces require peers to possess each other’s public keys, but they don’t use a CA. Two methods can be used for peers to get each others’ public keys:

  • Manually configure and exchange RSA keys

  • Use the RSA signatures used previously during a successful ISAKMP negotiation with the remote peer

Another potential drawback to this authentication method is this: either side of the exchange can plausibly deny they took part in the exchange. Cisco IOS software is the only Cisco product that supports this authentication method. Figure 11-6 shows a RSA-encryption authentication exchange.

Click To expand
Figure 11-6: RSA-encryption authentication exchange

This section provides a short overview of configuring IPSec using RSA-encrypted nonces. Only those tasks and steps that are unique to RSA-encrypted nonces are presented. Configuring RSA encryption is similar to preshared keys and CA support. It’s introduced using the same outline with commands introduced when those technologies were covered in Chapter 10 and earlier in this chapter. The following are the major tasks for configuring RSA-encrypted nonces:

  • Task 1 Prepare for IKE and IPSec

  • Task 2 Configure RSA keys manually

  • Task 3 Configure IKE for IPSec to select RSA encryption

  • Task 4 Configure IPSec (typically, the same as preshare keys)

  • Task 5 Test and verify IPSec

Task 2—Configure RSA Keys

The steps and commands used in Task 2 are included in the following items. While this display is intended to demonstrate the similarities to technologies already covered, a thorough coverage of the tasks and steps to configure RSA-encrypted nonces can be found in the Cisco IOS Security Configuration Guide online.

Configuring RSA keys involves the following six steps:

  • Step 2–1 Plan for RSA keys.

  • Step 2–2 Configure the router’s host name and domain name.


    ip domain-name

  • Step 2–3 Generate the RSA keys.

    crypto key generate rsa usage-keys

  • Step 2–4 Enter peer RSA public keys.

    crypto key pubkey-chain rsa

    addressed-key ip-addr

    named-key name

  • Step 2–5 Verify the key configuration.

    show crypto key mypubkey rsa

    show crypto key pubkey-chain rsa

  • Step 2–6 Manage RSA keys—Remove old keys.

    crypto key zeroize rsa

Part III: Virtual Private Networks (VPNs)