10-28-2013 08:57 AM - edited 02-21-2020 05:01 AM
I want to change de crypto key size in a Cisco ASA 5540 with 8.4(3) software version.
Two keys are shown:
plm-airf-gsni-1# show crypto key mypubkey rsa
Key pair was generated at: 12:11:22 GMT-5 Oct 23 2013
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00a464c3 eba15570 345032af fcf5e8af 67ec279e 820529d5 6360605b 2a8fb5bb
58fbaf14 4a8a31f7 144058d2 61e06ef8 30f0fe8f 84750253 cdff6371 7c69ba61
1b0daf49 cadafbea 08430f16 5517211b d1a7ba4a f6fc69a2 7b6ecbb8 b0b7e218
xxxx
d558c8b0 35fb21c8 2f32b392 44525ffb bbc93f09 c05be2b1 5acf011f b71685b3
e7020301 0001
Key pair was generated at: 10:51:26 GMT-5 Oct 28 2013
Key name: <Default-RSA-Key>.server
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00e7dc73 73581f63
60a211ee 384d7230 0f261382 0d9c75e7 f9528e4b 0ca68fc2 353e646d 7a6701f9
xxx
4d5a6b2e 8ab4dd16 d549f2d8 94d25426 79d62e2e f1de7d65 ff020301 0001
when I issue de "crypto key generate rsa modulus 2048", it only changes the first one. What can I do to change second one, the one from 768 bits?
Thanks for your help!
10-28-2013 11:02 AM
Try "crypto key zeroize rsa" then create a new keypair of the desired length.
10-28-2013 11:28 AM
I just tried that, but it keeps creating a key with 2048 (as the command said) and a new one of 768 bits:
plm-cpf-sdu-1/admin# show crypto key mypubkey rsa
Key pair was generated at: 13:24:53 GMT Oct 28 2013
Key name:
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00a2349a 78edbab4 9441b57a 7ae98e00 28997278 da79df55 3a8ecfba 57a7b022
83224fb7 20e9bcf2 e161c4a7 3fcbe2ab a780128e daa33e29 31737161 771c1849
11bbd53b 813e0ac2 dd244f27 d6ee0bd2 8d57416e b7cd8f53 9d4d5996 54231190
fa8b6118 8ba8408f 42d758e5 662f450d a9933cf8 17cb65c0 3b3688ab dc83b9b6
f89546fa 3307e934 89197dd8 c4acf048 2a46b36c 45c9b8fb 114a3807 42e3f65c
1bab495d 2a1bcd47 76b33846 ec29771a 10d865a5 f41e13f5 0bb25e67 ea58b298
4adcf4c9 d449523b xxxx
03e48a45 6f4ac120 64a1c31d 8de5d355 44fd7587 396a612f 6d6c2d7b 510990b8
47020301 0001
Key pair was generated at: 13:25:08 GMT Oct 28 2013
Key name:
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00bb28e6 3b1a1531
8ac9ec6b 535eff86 ea5d0409 9438b383 fd865a51 4d90721d cdd36ddb 02904b2f
fb5b6789 xxxx
f7c76018 eccd7190 edb1a074 96d76d72 658d6d24 adbbaa0f f7020301 0001
plm-cpf-sdu-1/admin#
10-28-2013 12:33 PM
Hmmm I did some experimenting.
When I zeroize keys. I confirm they are all gone (including the 768-bit .server key. I generate new ones with 2048-bit key length and confirm there is no 768-bit .server key.
Once I log back into the ASA (via ssh, using v2, specifying aes256-cbc and confirmed that the session is using the new 2048-bit key), I see the 768-bit .server key was generated dynamically.
From some additional research (here and here), I believe that specific .server key has to do with encrypting the session key for forward secrecy during session establishment. although this is not strictly required for ssh v2, the ASA seems to have not fully dropped its use. There doesn't seem to be any way of forcing that particular key to be 768-bits. Your actual session should be protected by the 2048-bit key however.
This is my understanding based on my research. If anyone knows better, feel free to correct me.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide