06-12-2013 02:14 PM - edited 03-10-2019 12:03 AM
I have two ASA 5520 devices I am configuring which require FIPS 140-2 compliance. One of the FIPS 140-2 requirement states that the device must not use 512-bit or 768-bit RSA keys. I generated a key-pair using modulus 1024 which creates a "<Default-RSA-Key>" general purpose key with the correct modulus size, but when I connect via ssh a "<Default-RSA-Key>.server" key is created with a modulus size of 768-bits. I have zeroized and regenerated the keys but I still see the same behavior. My initial thinking was to just generate a "<Default-RSA-Key>.server" key with the correct modulus size, but a 768-bit key was still generated. Is there a way to force the "<Default-RSA-Key>.server" key to use a 1024-bit modulus?
Thank you for your time!
07-04-2013 11:59 AM
Hi Eric,
Would you mind sharing this output "sh crypto key mypubkey rsa"
Thnaks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 09:00 AM
Hi Luis,
Thank you for your reply. Output of the "sho crypto key mypubkey rsa" command follows:
***Begin***
RADIO-5520# sho crypto key mypubkey rsa
Key pair was generated at: 08:55:07 PDT Jul 8 2013
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
Key pair was generated at: 08:55:42 PDT Jul 8 2013
Key name:
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
***End***
07-08-2013 10:25 AM
Hi Eric,
I just investigate further and this "
Make sure that only SSHv2 is enable. As soon as you enable just v2 it shouldn't use "
asa (config)#ssh version 2
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 10:32 AM
Hi Luis,
Thank you again!
I am definitely running version 2:
***Begin***
RADIO-5520# sho run ssh
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
RADIO-5520# sho ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 *********** 2.0 IN aes128-cbc sha1 SessionStarted ************
OUT aes128-cbc sha1 SessionStarted ************
07-08-2013 02:16 PM
Thanks for the information.
Please take a look to this.
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/c8.html#wp2476780
I have found some discussions internally but with no clear resolution.
Based of what I have seen it should use the Default-RSA-Key you generated; if you need more details I suggest you to open a TAC case.
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 02:38 PM
Thanks for the information Luis. It looks like TAC is my next step.
I appreciate your time and help,
EOW
10-23-2013 02:11 PM
Hello Eric,
Have you solved your problem?
I have the same..
Thanks!
Sergio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: