Generating RSA Keys

Generating RSA Keys

Problem

You want to create a shareable RSA key for authentication or encryption.

Solution

First, you must create the keys on both devices. We recommend using at least 1024-bit keys in production networks:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#crypto key generate rsa
The name for the keys will be: Router1.oreilly.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#end
Router1#show crypto key mypubkey rsa
% Key pair was generated at: 01:19:45 EST Mar 1 2003
Key name: Router1.oreilly.com
Usage: General Purpose Key
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
% Key pair was generated at: 01:19:52 EST Mar 1 2003
Key name: Router1.oreilly.com.server
Usage: Encryption Key
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BD928A BD5637E6
2265621C 3AC57138 911CA27D 11F40AA1 E657EA26 6EBF654C 952A3319 D421A33C
E2ECA87E CD7E050C 8A8FE64D B73954EA BF2ED639 BC6A8F74 5B9550EA 4119E796
A97430E2 4B1BF7D3 ED1469FF AEA83690 A0FEA871 BBFBE8AD 19020301 0001
Router1#

And then you can use cut and paste to copy this manually generated key into the other device:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#crypto key pubkey-chain rsa
Router2(config-pubkey-chain)#addressed-key 192.168.99.1
Router2(config-pubkey-key)#address 192.168.99.1
Router2(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

Router2(config-pubkey)#30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
Router2(config-pubkey)#D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
Router2(config-pubkey)#B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
Router2(config-pubkey)#FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
Router2(config-pubkey)#2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001
Router2(config-pubkey)#quit
Router2(config-pubkey-key)#exit
Router2(config-pubkey-chain)#exit
Router2(config)#end
Router2#show crypto key pubkey-chain rsa address 192.168.99.1
Key address: 192.168.99.1
Usage: General Purpose Key
Source: Manually entered
Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E68338
D561B2D1 7B8B75D6 7B34F6AF 1710B00B 5B6E9E8D D7183BE6 F08A6342 054EADFC
B764DF9C 4592B891 522727F2 14233B47 8F757134 24F03DB3 833C5988 312B11E9
FB6E0E20 4579C0A4 F2062353 4F1C8CE4 410EE57B 9FCEE784 DA7E3852 408E9742
2584DF56 67293F3F F76B6A96 C4D518FB 1A0114BF E2449838 BE5794E2 37020301 0001


Router2#

Discussion

The first thing to notice is that the output includes the following line:

The name for the keys will be: Router1.oreilly.com

The router name and domain name are always included in the key. So it is critical to define these two values before generating the keys. If you generate the keys first and then change the router's name or domain, the keys may no longer work:

Router1(config)#hostname Router1
Router1(config)#ip domain-name oreilly.com

When you use the crypto key generate command to create new keys, the router must delete any existing keys:

Router1(config)#crypto key generate rsa 
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#

This has the side effect that, during key generation, any services on the router currently using these keys will be temporarily disabled. Key generation can take a considerable length of time, depending on the model of router and the size of the key modulus. We have seen a low-end access router take as long as an hour to generate a key with a very large modulus for greater security. During this time, the router's CPU load was extremely high. So we urge caution when using this command.

You can remove existing keys with the crypto key zeroize command:

Router1(config)#crypto key zeroize rsa 
% Keys to be removed are named Router1.oreilly.com.
Do you really want to remove these keys? [yes/no]: yes
Router1(config)#

If the router has any services that are using the deleted keys, it will automatically disable them until you generate new keys.

You can also generate special usage keys as follows:

Router1(config)#crypto key generate rsa usage-keys 
The name for the keys will be: Router1.oreilly.com
% You already have RSA keys defined for Router1.oreilly.com.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]
Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Generating RSA keys ...
[OK]

Router1(config)#

This command creates separate authentication signature and encryption keys. Note that we have created a 1024-bit key in this example. In general, longer keys are more secure, but also require considerably more computing time to generate. SSH Communications Security Corporation, the original developer of the SSH protocol, currently recommends a key length of 2048 bits for most applications.

You can look at the public keys with the show crypto key command:

Router1#show crypto key mypubkey rsa 
% Key pair was generated at: 01:29:04 EST Mar 1 2003
Key name: Router1.oreilly.com
Usage: Signature Key
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00AAED98
0E454C8F ED9DB93E 312B00BD FF561C49 5480344A 094F0EA8 0D994051 AC627CF2
5FA7F802 DB0A1206 4EB8F8E5 122C9B2D 0F3A20D8 C0E90280 D4F6518A 9C6C2E48
A570D05A AE2881CA B9366990 931C4A7E EDC6B352 13815B91 3A02B44E 4655DE6D
1CB5AB35 058B60AA 4639B696 A8EE735E DA15B300 B8A0CE51 7C42B73A 53020301 0001
% Key pair was generated at: 01:29:11 EST Mar 1 2003
Key name: Router1.oreilly.com
Usage: Encryption Key
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D18F99
EC2A5754 C1FEF911 E16BFD80 6C3E9517 42716B78 99692618 B57B529B A9C19B23
6D4BF3CE 39728DEF 2B3D10F9 3DABBDFD 8CAB09F7 0A56768C 053BB4AF 7F224E44
FA341851 10152A86 28C2084F C13E0738 4C478BED 9960E229 CB112077 097F3DC9
DD40D109 0A513D31 FF0FD51D B3515CEA F81738B6 5BB02FF6 812A01AC F7020301 0001
% Key pair was generated at: 01:29:14 EST Mar 1 2003
Key name: Router1.oreilly.com.server
Usage: Encryption Key
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00B43311 D047EFBC
314C57DB 93F3E755 5CEBF4B5 D0258169 6DAC695B A0F5DA35 C6C7B106 C2BB7863
0201B68A 7C2F3313 47223065 BDF84692 BF974F2E E4037D5D C976DB3A 231D2603
6DE8CDCE 8EAD613E 5C984091 55A6B0F5 920E285B 6E4ED34E 31020301 0001
Router1#

As you can see, the router now has a signature key and an encryption key where it previously had only a general purpose key. However, it is important to remember that this is only the public key. There is also a corresponding private key that you cannot view on the router. The router keeps this key in its NVRAM storage and sets file permissions so nobody can read it. The private key is what the router uses to encrypt things that it sends. The public key can decrypt anything encrypted with the private key. Every device that this router shares encrypted information with will need a copy of the public key, but the private key is secret.

As a side effect of this, the public key provides an excellent authentication system. If a remote device's public key successfully decrypts a message from that device, then you know that this message must have been encrypted with that device's private key. And, consequently, if the private key is really private, the message must actually have been sent by that device.

When you use these keys on routers, we highly recommend using the cut-and-paste feature on your terminal rather than trying to type all of this in manually. A single typographical error in this sequence will make the key useless. Note, however, that there is an inherent security risk in copying and pasting a key like this over a network. If you are using an insecure protocol like Telnet, the packet can be intercepted, and the key information is easily extracted. So you should avoid doing this over untrusted networks, or you should use a more secure access method such as SSH to access the routers. We discuss using SSH for router access in Recipe 3.20.

In Recipe 12.6, we show an example of how to use RSA keys.

See Also