2: has des or 3des encrytion for the exportation
3: exported via terminal-output, scp , directly to a usb drive or other storage
1st, with the normal rsa or ecdsa keys creation, the keys are stored in the private-config portion of the cisco device. This directory is a "NO READ ACCESS!" for security purposes.
e.g ( default storage when we use the "crypto key generate rsa modulus 1024" command )
The key is always created with the "hostname.domainname". This is why you need a hostname and domain before creation of the key on cisco. And you will get an error if you try to build a keypair without the 2.
So the above key-pair is stored locally and has no ability to be read or tampered with. If you remember my earlier post on the private-key used within fortinet's Fortigates, they are NOT tamper proof. http://socpuppet.blogspot.com/2014/08/your-fortigate-is-not-as-secured-as-you.html
On a cisco IOS these keys are tamper proof if not exported and if you leave them in the default location. Outside of maybe a destructive approach, you will never gain access to that private-key.
So now we can try to confirm access to the storage location of private-config. As you can see, the private-config is not readable
Okay so how do you create a key that can be exported?
Will it's very simple, you need to instruct IOS to ensure the key is exportable and then storage in a location that can be exported.
Here's a an example of this task.
1: Making the keys exportable with a label ( the label is the name you give the key )
AR011(config)#crypt key generate rsa label SOCPUPPETS-key01 exportable modulus 1024
The name for the keys will be: SOCPUPPETS-key01
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 0 seconds)
2: Validation of the newly created key-pair
AR011#show crypto key mypubkey rsa SOCPUPPETS-key01
% Key pair was generated at: 11:18:48 EST Nov 11 2014
Key name: SOCPUPPETS-key01
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00CBE4DD
0E487492 67E31E7F 1A9E0C36 7A055DFB EA5923BF DAB07842 B901F46C 9543722B
73AA43DC 61E25F93 46D543BF 5FA12A25 D765CF83 45F56C25 618F4D5C 33395FDC
4F3B81E2 899519F4 B7250858 44ED32F7 F5244954 E873336C E285BAB5 7C90C087
937F6FA2 298D1515 D65903E0 7C94D727 B2F7BCAE 6AEDDD29 7A50E290 09020301 0001
3: Exporting the key-pair and setting a passphrase of at least 8 characters using 3des to the terminal
The key needs a passphrase of at least 8 characters and either 3des ( preferred ) or optional des. Still to date & for whatever reason cisco hasn't deployed AES. Please DO NOT use d 1 2 3 4 5 6 7 8 a s passphrase ;)
If we want to export the key to a drive local ( flash, bootfash, usb0: ) you will specify this via the url.
The "url" could be a ftp, tftp, or scp destination
Now with the key exported, you can save or copy or reused this key-pair elsewhere. Keep in mind the private-key should always be secured no matter what.
With the passphrase and encryption, you will need to remember what was used. Here , I will show you how we validate the key-pair modulus ( fingerprint ) using openssl
If you want to remove any key-pair you can always use the following command.
crypto key zeroize rsa <key-pair-name>
A few key points to take away;
- IOS key-pair creation is quite simpler
- you have the ability to tag keys exportable
- you can extract them off the cisco device
- a passphrase must be set for the key-pair ( private-key uses the passphrase )
- always secure the keys
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( + - )=