cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1848
Views
0
Helpful
7
Replies
Highlighted
Beginner

FIPS Compliant RSA Key

I have two ASA 5520 devices I am configuring which require FIPS 140-2 compliance. One of the FIPS 140-2 requirement states that the device must not use 512-bit or 768-bit RSA keys. I generated a key-pair using modulus 1024 which creates a "<Default-RSA-Key>" general purpose key with the correct modulus size, but when I connect via ssh a "<Default-RSA-Key>.server" key is created with a modulus size of 768-bits. I have zeroized and regenerated the keys but I still see the same behavior. My initial thinking was to just generate a "<Default-RSA-Key>.server" key with the correct modulus size, but a 768-bit key was still generated. Is there a way to force the "<Default-RSA-Key>.server" key to use a 1024-bit modulus?

Thank you for your time!

Everyone's tags (5)
7 REPLIES 7
Highlighted
Cisco Employee

FIPS Compliant RSA Key

Hi Eric,

Would you mind sharing this output "sh crypto key mypubkey rsa"

Thnaks,

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
Highlighted
Beginner

FIPS Compliant RSA Key

Hi Luis,

Thank you for your reply. Output of the "sho crypto key mypubkey rsa" command follows:

***Begin***

RADIO-5520# sho crypto key mypubkey rsa

Key pair was generated at: 08:55:07 PDT Jul 8 2013

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

Key pair was generated at: 08:55:42 PDT Jul 8 2013

Key name: .server

Usage: Encryption Key

Modulus Size (bits): 768

Key Data:

***End***

Highlighted
Cisco Employee

FIPS Compliant RSA Key

Hi Eric,

I just investigate further and this ".server" is used by SSHv1 and it is regenerated every hour.

Make sure that only SSHv2 is enable. As soon as you enable just v2 it shouldn't use ".server"

asa (config)#ssh version 2

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
Highlighted
Beginner

Re: FIPS Compliant RSA Key

Hi Luis,

Thank you again!

I am definitely running version 2:

***Begin***

RADIO-5520# sho run ssh

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

RADIO-5520# sho ssh sessions

SID     Client IP          Version   Mode   Encryption Hmac     State                  Username

0        ***********         2.0         IN        aes128-cbc sha1     SessionStarted    ************

                                              OUT     aes128-cbc sha1     SessionStarted    ************

Highlighted
Cisco Employee

FIPS Compliant RSA Key

Thanks for the information.

Please take a look to this.

http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/c8.html#wp2476780

I have found some discussions internally but with no clear resolution.

Based of what I have seen it should use the Default-RSA-Key you generated; if you need more details I suggest you to open a TAC case.

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
Highlighted
Beginner

Re: FIPS Compliant RSA Key

Thanks for the information Luis. It looks like TAC is my next step.

I appreciate your time and help,

EOW

Highlighted
Beginner

FIPS Compliant RSA Key

Hello Eric,

Have you solved your problem?

I have the same..

Thanks!

Sergio