How to change de crypto key mypubkey Cisco ASA 5540?

slizarraga · ‎10-28-2013

I want to change de crypto key size in a Cisco ASA 5540 with 8.4(3) software version.

Two keys are shown:

plm-airf-gsni-1# show crypto key mypubkey rsa

Key pair was generated at: 12:11:22 GMT-5 Oct 23 2013

Key name: <Default-RSA-Key>

Usage: General Purpose Key

Modulus Size (bits): 2048

Key Data:

30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101

00a464c3 eba15570 345032af fcf5e8af 67ec279e 820529d5 6360605b 2a8fb5bb

58fbaf14 4a8a31f7 144058d2 61e06ef8 30f0fe8f 84750253 cdff6371 7c69ba61

1b0daf49 cadafbea 08430f16 5517211b d1a7ba4a f6fc69a2 7b6ecbb8 b0b7e218

xxxx

d558c8b0 35fb21c8 2f32b392 44525ffb bbc93f09 c05be2b1 5acf011f b71685b3

e7020301 0001

Key pair was generated at: 10:51:26 GMT-5 Oct 28 2013

Key name: <Default-RSA-Key>.server

Usage: Encryption Key

Modulus Size (bits): 768

Key Data:

307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00e7dc73 73581f63

60a211ee 384d7230 0f261382 0d9c75e7 f9528e4b 0ca68fc2 353e646d 7a6701f9

xxx

4d5a6b2e 8ab4dd16 d549f2d8 94d25426 79d62e2e f1de7d65 ff020301 0001

when I issue de "crypto key generate rsa modulus 2048", it only changes the first one. What can I do to change second one, the one from 768 bits?

Thanks for your help!

Marvin Rhoads · ‎10-28-2013

Try "crypto key zeroize rsa" then create a new keypair of the desired length.

Reference.

slizarraga · ‎10-28-2013

I just tried that, but it keeps creating a key with 2048 (as the command said) and a new one of 768 bits:

plm-cpf-sdu-1/admin# show crypto key mypubkey rsa

Key pair was generated at: 13:24:53 GMT Oct 28 2013

Key name:

Usage: General Purpose Key

Modulus Size (bits): 2048

Key Data:

30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101

00a2349a 78edbab4 9441b57a 7ae98e00 28997278 da79df55 3a8ecfba 57a7b022

83224fb7 20e9bcf2 e161c4a7 3fcbe2ab a780128e daa33e29 31737161 771c1849

11bbd53b 813e0ac2 dd244f27 d6ee0bd2 8d57416e b7cd8f53 9d4d5996 54231190

fa8b6118 8ba8408f 42d758e5 662f450d a9933cf8 17cb65c0 3b3688ab dc83b9b6

f89546fa 3307e934 89197dd8 c4acf048 2a46b36c 45c9b8fb 114a3807 42e3f65c

1bab495d 2a1bcd47 76b33846 ec29771a 10d865a5 f41e13f5 0bb25e67 ea58b298

4adcf4c9 d449523b xxxx

03e48a45 6f4ac120 64a1c31d 8de5d355 44fd7587 396a612f 6d6c2d7b 510990b8

47020301 0001

Key pair was generated at: 13:25:08 GMT Oct 28 2013

Key name: .server

Usage: Encryption Key

Modulus Size (bits): 768

Key Data:

307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00bb28e6 3b1a1531

8ac9ec6b 535eff86 ea5d0409 9438b383 fd865a51 4d90721d cdd36ddb 02904b2f

fb5b6789 xxxx

f7c76018 eccd7190 edb1a074 96d76d72 658d6d24 adbbaa0f f7020301 0001

plm-cpf-sdu-1/admin#

Marvin Rhoads · ‎10-28-2013

Hmmm I did some experimenting.

When I zeroize keys. I confirm they are all gone (including the 768-bit .server key. I generate new ones with 2048-bit key length and confirm there is no 768-bit .server key.

Once I log back into the ASA (via ssh, using v2, specifying aes256-cbc and confirmed that the session is using the new 2048-bit key), I see the 768-bit .server key was generated dynamically.

From some additional research (here and here), I believe that specific .server key has to do with encrypting the session key for forward secrecy during session establishment. although this is not strictly required for ssh v2, the ASA seems to have not fully dropped its use. There doesn't seem to be any way of forcing that particular key to be 768-bits. Your actual session should be protected by the 2048-bit key however.

This is my understanding based on my research. If anyone knows better, feel free to correct me.

Hope this helps.