Wednesday, November 12, 2014

Building exportable keys and exporting via cisco IOS

In this example,  I will demostrate the building of a common rsa key-pair that's ;

   1:  exportable

   2:  has des or 3des encrytion for the exportation

   3: exported via  terminal-output, scp , directly to a usb drive or other storage

1st, with the normal rsa or ecdsa keys creation, the keys are stored in the private-config portion of the cisco device. This directory is a "NO READ ACCESS!" for security purposes.

e.g ( default storage when we use the  "crypto key generate  rsa modulus 1024" command )

The key is always  created with the "hostname.domainname". This is why you need a hostname and domain before creation of the key on cisco. And you will get an error if you  try to build a keypair without the 2.

So the above key-pair  is stored locally and has no ability to be read or  tampered with.  If you remember my  earlier post on the  private-key  used within fortinet's Fortigates, they are NOT  tamper proof.

On a cisco IOS these keys are tamper proof if not exported and if you leave them in the default location. Outside of maybe a destructive approach, you will never gain access to that private-key.

So now we can try to  confirm access to the storage location of  private-config. As you can see, the private-config is not readable

Okay so how do you create a key that can be exported? 

Will it's very simple, you need to instruct IOS to ensure the key is exportable and then storage in a location that can be exported.

Here's a an example of this task.

1: Making the keys exportable with a label ( the label is the name you give the key )

AR011(config)#crypt key generate rsa label SOCPUPPETS-key01 exportable modulus 1024
The name for the keys will be: SOCPUPPETS-key01

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)

2: Validation of the newly created  key-pair

AR011#show crypto key mypubkey rsa SOCPUPPETS-key01
% Key pair was generated at: 11:18:48 EST Nov 11 2014
Key name: SOCPUPPETS-key01
Key type: RSA KEYS
 Storage Device: not specified
 Usage: General Purpose Key
 Key is exportable. Redundancy enabled.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CBE4DD
  0E487492 67E31E7F 1A9E0C36 7A055DFB EA5923BF DAB07842 B901F46C 9543722B
  73AA43DC 61E25F93 46D543BF 5FA12A25 D765CF83 45F56C25 618F4D5C 33395FDC
  4F3B81E2 899519F4 B7250858 44ED32F7 F5244954 E873336C E285BAB5 7C90C087
  937F6FA2 298D1515 D65903E0 7C94D727 B2F7BCAE 6AEDDD29 7A50E290 09020301 0001

 3: Exporting the key-pair and setting a passphrase of at least 8 characters using  3des to the terminal

The key needs a passphrase of at least 8 characters and either 3des ( preferred ) or optional des.  Still to date & for whatever reason cisco hasn't deployed AES. Please  DO NOT use d 1  2 3 4 5 6 7 8 a s passphrase ;)

If we want to export the key to a drive local ( flash, bootfash, usb0: ) you will specify  this via the url.

The "url" could be a ftp, tftp, or scp destination

Now with the key exported,  you can save or copy or reused this key-pair elsewhere. Keep in mind the  private-key should always be secured no matter what.

With the passphrase and encryption, you will need to remember what was used. Here , I will show you how we validate the key-pair modulus ( fingerprint ) using openssl

If you want to remove any key-pair you can always use the  following command.

config t
crypto key zeroize rsa <key-pair-name>

A few key points to take away;
  •  IOS key-pair creation is quite simpler

  •  you have the ability to tag keys exportable

  •  you can extract them off the  cisco device

  •  a passphrase must be set for the  key-pair ( private-key uses the passphrase )

  •  always secure the keys

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  +  - )=
      /  \

No comments:

Post a Comment