Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN: RSA vs Pre-Shared

Reply
Thread Tools

VPN: RSA vs Pre-Shared

 
 
Elia Spadoni
Guest
Posts: n/a
 
      03-23-2008
Hello
I am planning to do a lan-to-lan vpn but I was wondering about the
differencies in security from
pre-sharedkey and the RSA method, in the IOS I got two different RSA:

pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature


whare are the differncies in terms of security?

 
Reply With Quote
 
 
 
 
Elia Spadoni
Guest
Posts: n/a
 
      03-23-2008
Thank you for your answers.

But It is not clear to me what are the differencies between pre-shared (the
one I actually use) and the RSA-encr ?

I always do site-to-site gre+ipsec tunnels.




 
Reply With Quote
 
 
 
 
News Reader
Guest
Posts: n/a
 
      03-23-2008
With rsa-encr, you manually enter the peer's public key into your local
configuration.

With rsa-sig, you are using x.509 digital certificates (i.e.: reliance
on Public Key Infrastructure).

The difference is scalability. If you had a large number of devices you
would use rsa-sig.

For your needs, rsa-encr will be fine.

Best regards,
News Reader

Elia Spadoni wrote:
> Hello
> I am planning to do a lan-to-lan vpn but I was wondering about the
> differencies in security from
> pre-sharedkey and the RSA method, in the IOS I got two different RSA:
>
> pre-share Pre-Shared Key
> rsa-encr Rivest-Shamir-Adleman Encryption
> rsa-sig Rivest-Shamir-Adleman Signature
>
>
> whare are the differncies in terms of security?
>

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-23-2008
When you first configure a device for SSH, or IPSec, you generate an RSA
key pair (public and private keys).

To view "your" public keys:

router# sh crypto key mypubkey rsa

It is your public key that you are providing to the admin of your VPN
peer. He will manually enter your public key into the crypto config on
his end. Likewise, you will enter the public key of his device into your
crypto config.

The resulting section of your config will look something like this:

crypto key pubkey-chain rsa
named-key peer.domain.com encryption
address aaa.bbb.ccc.ddd
key-string
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXX
quit

The "X"s will of course be hexadecimal numbers.

To view the public keys of "others", that are presently in your config:

router# sh crypto key pubkey-chain rsa


Hopefully you are familiar with the basics of public key encryption.
When you encrypt something with the peer's public key, only he can
decrypt it with his private key, which he must closely guard.

Best regards,
News Reader


Elia Spadoni wrote:
> Thank you for your answers.
>
> But It is not clear to me what are the differencies between pre-shared (the
> one I actually use) and the RSA-encr ?
>
> I always do site-to-site gre+ipsec tunnels.
>
>
>
>

 
Reply With Quote
 
Elia Spadoni
Guest
Posts: n/a
 
      03-23-2008
Hello
thank you for your really complete answers.

So... the easisest to use is the pre-shared (not rsa type).

But what is the most secure? If i put this method on a cleartext wireless
link (the one explained in the post above) which will be less prone to man
in the middle attack?


"News Reader" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...
> When you first configure a device for SSH, or IPSec, you generate an RSA
> key pair (public and private keys).
>
> To view "your" public keys:
>
> router# sh crypto key mypubkey rsa
>
> It is your public key that you are providing to the admin of your VPN
> peer. He will manually enter your public key into the crypto config on his
> end. Likewise, you will enter the public key of his device into your
> crypto config.
>
> The resulting section of your config will look something like this:
>
> crypto key pubkey-chain rsa
> named-key peer.domain.com encryption
> address aaa.bbb.ccc.ddd
> key-string
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
> XXXXX
> quit
>
> The "X"s will of course be hexadecimal numbers.
>
> To view the public keys of "others", that are presently in your config:
>
> router# sh crypto key pubkey-chain rsa
>
>
> Hopefully you are familiar with the basics of public key encryption. When
> you encrypt something with the peer's public key, only he can decrypt it
> with his private key, which he must closely guard.
>
> Best regards,
> News Reader
>
>
> Elia Spadoni wrote:
>> Thank you for your answers.
>>
>> But It is not clear to me what are the differencies between pre-shared
>> (the one I actually use) and the RSA-encr ?
>>
>> I always do site-to-site gre+ipsec tunnels.
>>
>>
>>


 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-23-2008
Pre-shared keys are the least secure, and I don't use them for
site-to-site VPNs.

I use rsa-encr or rsa-sig, both are secure.

With either of the RSA methods, you will need to generate an RSA key
pair on each router. This is easily done; just locate and follow the
procedure for enabling SSH. If you are currently using SSH or HTTPS to
access the router, the keys are already there. Refer to my earlier post
for commands to view a key pair.

RSA-SIG requires a private key infrastructure (PKI), and is primarily
intended to address issues of scalability.

RSA-ENCR requires manual entry of the peer's public key into your local
config.

Both RSA methods are based on the "same" key pair.

Use RSA-ENCR rather than pre-shared keys to improve your security
posture. Pursue RSA-SIG if you have a large number of IPSec tunnel
endpoints to lessen the administrative overhead.

If you are worried about man in the middle attacks, concern yourself with:

- The size of your RSA keys (modulus)
- Lifetimes of the ISAKMP SA, and IPSec SAs
- Choice of authentication and encryption transforms for ISAKMP and IPSec
- DFH Group
- PFS (Perfect Forward Secrecy)

.... all of which are determined by your configuration choices.

Best regards,
News Reader


Elia Spadoni wrote:
> Hello
> thank you for your really complete answers.
>
> So... the easisest to use is the pre-shared (not rsa type).
>
> But what is the most secure? If i put this method on a cleartext wireless
> link (the one explained in the post above) which will be less prone to man
> in the middle attack?
>
>
> "News Reader" <(E-Mail Removed)> ha scritto nel messaggio
> news:(E-Mail Removed)...
>> When you first configure a device for SSH, or IPSec, you generate an RSA
>> key pair (public and private keys).
>>
>> To view "your" public keys:
>>
>> router# sh crypto key mypubkey rsa
>>
>> It is your public key that you are providing to the admin of your VPN
>> peer. He will manually enter your public key into the crypto config on his
>> end. Likewise, you will enter the public key of his device into your
>> crypto config.
>>
>> The resulting section of your config will look something like this:
>>
>> crypto key pubkey-chain rsa
>> named-key peer.domain.com encryption
>> address aaa.bbb.ccc.ddd
>> key-string
>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>> XXXXX
>> quit
>>
>> The "X"s will of course be hexadecimal numbers.
>>
>> To view the public keys of "others", that are presently in your config:
>>
>> router# sh crypto key pubkey-chain rsa
>>
>>
>> Hopefully you are familiar with the basics of public key encryption. When
>> you encrypt something with the peer's public key, only he can decrypt it
>> with his private key, which he must closely guard.
>>
>> Best regards,
>> News Reader
>>
>>
>> Elia Spadoni wrote:
>>> Thank you for your answers.
>>>
>>> But It is not clear to me what are the differencies between pre-shared
>>> (the one I actually use) and the RSA-encr ?
>>>
>>> I always do site-to-site gre+ipsec tunnels.
>>>
>>>
>>>

>

 
Reply With Quote
 
Elia Spadoni
Guest
Posts: n/a
 
      03-24-2008
Thanks again for your really helpful answer.
Since in one of the end of vpn I will change the routers, at the moment I
will keep pre-shared

then I will switch to the rsa-encr


Thank you a lot


"News Reader" <(E-Mail Removed)> ha scritto nel messaggio
news:(E-Mail Removed)...
> Pre-shared keys are the least secure, and I don't use them for
> site-to-site VPNs.
>
> I use rsa-encr or rsa-sig, both are secure.
>
> With either of the RSA methods, you will need to generate an RSA key pair
> on each router. This is easily done; just locate and follow the procedure
> for enabling SSH. If you are currently using SSH or HTTPS to access the
> router, the keys are already there. Refer to my earlier post for commands
> to view a key pair.
>
> RSA-SIG requires a private key infrastructure (PKI), and is primarily
> intended to address issues of scalability.
>
> RSA-ENCR requires manual entry of the peer's public key into your local
> config.
>
> Both RSA methods are based on the "same" key pair.
>
> Use RSA-ENCR rather than pre-shared keys to improve your security posture.
> Pursue RSA-SIG if you have a large number of IPSec tunnel endpoints to
> lessen the administrative overhead.
>
> If you are worried about man in the middle attacks, concern yourself with:
>
> - The size of your RSA keys (modulus)
> - Lifetimes of the ISAKMP SA, and IPSec SAs
> - Choice of authentication and encryption transforms for ISAKMP and IPSec
> - DFH Group
> - PFS (Perfect Forward Secrecy)
>
> ... all of which are determined by your configuration choices.
>
> Best regards,
> News Reader
>
>
> Elia Spadoni wrote:
>> Hello
>> thank you for your really complete answers.
>>
>> So... the easisest to use is the pre-shared (not rsa type).
>>
>> But what is the most secure? If i put this method on a cleartext wireless
>> link (the one explained in the post above) which will be less prone to
>> man in the middle attack?
>>
>>
>> "News Reader" <(E-Mail Removed)> ha scritto nel messaggio
>> news:(E-Mail Removed)...
>>> When you first configure a device for SSH, or IPSec, you generate an RSA
>>> key pair (public and private keys).
>>>
>>> To view "your" public keys:
>>>
>>> router# sh crypto key mypubkey rsa
>>>
>>> It is your public key that you are providing to the admin of your VPN
>>> peer. He will manually enter your public key into the crypto config on
>>> his end. Likewise, you will enter the public key of his device into your
>>> crypto config.
>>>
>>> The resulting section of your config will look something like this:
>>>
>>> crypto key pubkey-chain rsa
>>> named-key peer.domain.com encryption
>>> address aaa.bbb.ccc.ddd
>>> key-string
>>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>>> XXXXXXXX
>>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>>> XXXXXXXX
>>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>>> XXXXXXXX
>>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>>> XXXXXXXX
>>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
>>> XXXXXXXX XXXXX
>>> quit
>>>
>>> The "X"s will of course be hexadecimal numbers.
>>>
>>> To view the public keys of "others", that are presently in your config:
>>>
>>> router# sh crypto key pubkey-chain rsa
>>>
>>>
>>> Hopefully you are familiar with the basics of public key encryption.
>>> When you encrypt something with the peer's public key, only he can
>>> decrypt it with his private key, which he must closely guard.
>>>
>>> Best regards,
>>> News Reader
>>>
>>>
>>> Elia Spadoni wrote:
>>>> Thank you for your answers.
>>>>
>>>> But It is not clear to me what are the differencies between pre-shared
>>>> (the one I actually use) and the RSA-encr ?
>>>>
>>>> I always do site-to-site gre+ipsec tunnels.
>>>>
>>>>
>>>>

>>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Implementing .net RSA on the server *and* JavaScript RSA on the client gg ASP .Net 0 11-18-2004 10:29 PM
Crypt::RSA, manual module installation alex Perl 1 06-25-2004 11:31 AM
Error using Crypt::OpenSSL::RSA - Fails loading public key - Help needed John Bergstrom Perl 0 08-03-2003 12:22 AM
Can I use PPTP-based VPN with Cisco PIX and RSA Securid? Trond Hindenes Cisco 1 07-10-2003 12:14 PM
Crypt RSA install (Problem with Crypt::Primes) AdrianK Perl 0 07-09-2003 09:32 AM



Advertisments