06-12-2013 02:14 PM - edited 03-10-2019 12:03 AM
I have two ASA 5520 devices I am configuring which require FIPS 140-2 compliance. One of the FIPS 140-2 requirement states that the device must not use 512-bit or 768-bit RSA keys. I generated a key-pair using modulus 1024 which creates a "<Default-RSA-Key>" general purpose key with the correct modulus size, but when I connect via ssh a "<Default-RSA-Key>.server" key is created with a modulus size of 768-bits. I have zeroized and regenerated the keys but I still see the same behavior. My initial thinking was to just generate a "<Default-RSA-Key>.server" key with the correct modulus size, but a 768-bit key was still generated. Is there a way to force the "<Default-RSA-Key>.server" key to use a 1024-bit modulus?
Thank you for your time!
07-04-2013 11:59 AM
Hi Eric,
Would you mind sharing this output "sh crypto key mypubkey rsa"
Thnaks,
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 09:00 AM
Hi Luis,
Thank you for your reply. Output of the "sho crypto key mypubkey rsa" command follows:
***Begin***
RADIO-5520# sho crypto key mypubkey rsa
Key pair was generated at: 08:55:07 PDT Jul 8 2013
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
Key pair was generated at: 08:55:42 PDT Jul 8 2013
Key name:
Usage: Encryption Key
Modulus Size (bits): 768
Key Data:
***End***
07-08-2013 10:25 AM
Hi Eric,
I just investigate further and this "
Make sure that only SSHv2 is enable. As soon as you enable just v2 it shouldn't use "
asa (config)#ssh version 2
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 10:32 AM
Hi Luis,
Thank you again!
I am definitely running version 2:
***Begin***
RADIO-5520# sho run ssh
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
RADIO-5520# sho ssh sessions
SID Client IP Version Mode Encryption Hmac State Username
0 *********** 2.0 IN aes128-cbc sha1 SessionStarted ************
OUT aes128-cbc sha1 SessionStarted ************
07-08-2013 02:16 PM
Thanks for the information.
Please take a look to this.
http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/c8.html#wp2476780
I have found some discussions internally but with no clear resolution.
Based of what I have seen it should use the Default-RSA-Key you generated; if you need more details I suggest you to open a TAC case.
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach"
http://www.cisco.com/web/partners/tools/pdihd.html
07-08-2013 02:38 PM
Thanks for the information Luis. It looks like TAC is my next step.
I appreciate your time and help,
EOW
10-23-2013 02:11 PM
Hello Eric,
Have you solved your problem?
I have the same..
Thanks!
Sergio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide