VPN: RSA vs Pre-Shared

Discussion in 'Cisco' started by Elia Spadoni, Mar 23, 2008.

  1. Elia Spadoni

    Elia Spadoni Guest

    Hello
    I am planning to do a lan-to-lan vpn but I was wondering about the
    differencies in security from
    pre-sharedkey and the RSA method, in the IOS I got two different RSA:

    pre-share Pre-Shared Key
    rsa-encr Rivest-Shamir-Adleman Encryption
    rsa-sig Rivest-Shamir-Adleman Signature


    whare are the differncies in terms of security?
    Elia Spadoni, Mar 23, 2008
    #1
    1. Advertising

  2. Elia Spadoni

    Elia Spadoni Guest

    Thank you for your answers.

    But It is not clear to me what are the differencies between pre-shared (the
    one I actually use) and the RSA-encr ?

    I always do site-to-site gre+ipsec tunnels.
    Elia Spadoni, Mar 23, 2008
    #2
    1. Advertising

  3. Elia Spadoni

    News Reader Guest

    With rsa-encr, you manually enter the peer's public key into your local
    configuration.

    With rsa-sig, you are using x.509 digital certificates (i.e.: reliance
    on Public Key Infrastructure).

    The difference is scalability. If you had a large number of devices you
    would use rsa-sig.

    For your needs, rsa-encr will be fine.

    Best regards,
    News Reader

    Elia Spadoni wrote:
    > Hello
    > I am planning to do a lan-to-lan vpn but I was wondering about the
    > differencies in security from
    > pre-sharedkey and the RSA method, in the IOS I got two different RSA:
    >
    > pre-share Pre-Shared Key
    > rsa-encr Rivest-Shamir-Adleman Encryption
    > rsa-sig Rivest-Shamir-Adleman Signature
    >
    >
    > whare are the differncies in terms of security?
    >
    News Reader, Mar 23, 2008
    #3
  4. Elia Spadoni

    News Reader Guest

    When you first configure a device for SSH, or IPSec, you generate an RSA
    key pair (public and private keys).

    To view "your" public keys:

    router# sh crypto key mypubkey rsa

    It is your public key that you are providing to the admin of your VPN
    peer. He will manually enter your public key into the crypto config on
    his end. Likewise, you will enter the public key of his device into your
    crypto config.

    The resulting section of your config will look something like this:

    crypto key pubkey-chain rsa
    named-key peer.domain.com encryption
    address aaa.bbb.ccc.ddd
    key-string
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXX
    quit

    The "X"s will of course be hexadecimal numbers.

    To view the public keys of "others", that are presently in your config:

    router# sh crypto key pubkey-chain rsa


    Hopefully you are familiar with the basics of public key encryption.
    When you encrypt something with the peer's public key, only he can
    decrypt it with his private key, which he must closely guard.

    Best regards,
    News Reader


    Elia Spadoni wrote:
    > Thank you for your answers.
    >
    > But It is not clear to me what are the differencies between pre-shared (the
    > one I actually use) and the RSA-encr ?
    >
    > I always do site-to-site gre+ipsec tunnels.
    >
    >
    >
    >
    News Reader, Mar 23, 2008
    #4
  5. Elia Spadoni

    Elia Spadoni Guest

    Hello
    thank you for your really complete answers.

    So... the easisest to use is the pre-shared (not rsa type).

    But what is the most secure? If i put this method on a cleartext wireless
    link (the one explained in the post above) which will be less prone to man
    in the middle attack?


    "News Reader" <> ha scritto nel messaggio
    news:...
    > When you first configure a device for SSH, or IPSec, you generate an RSA
    > key pair (public and private keys).
    >
    > To view "your" public keys:
    >
    > router# sh crypto key mypubkey rsa
    >
    > It is your public key that you are providing to the admin of your VPN
    > peer. He will manually enter your public key into the crypto config on his
    > end. Likewise, you will enter the public key of his device into your
    > crypto config.
    >
    > The resulting section of your config will look something like this:
    >
    > crypto key pubkey-chain rsa
    > named-key peer.domain.com encryption
    > address aaa.bbb.ccc.ddd
    > key-string
    > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    > XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    > XXXXX
    > quit
    >
    > The "X"s will of course be hexadecimal numbers.
    >
    > To view the public keys of "others", that are presently in your config:
    >
    > router# sh crypto key pubkey-chain rsa
    >
    >
    > Hopefully you are familiar with the basics of public key encryption. When
    > you encrypt something with the peer's public key, only he can decrypt it
    > with his private key, which he must closely guard.
    >
    > Best regards,
    > News Reader
    >
    >
    > Elia Spadoni wrote:
    >> Thank you for your answers.
    >>
    >> But It is not clear to me what are the differencies between pre-shared
    >> (the one I actually use) and the RSA-encr ?
    >>
    >> I always do site-to-site gre+ipsec tunnels.
    >>
    >>
    >>
    Elia Spadoni, Mar 23, 2008
    #5
  6. Elia Spadoni

    News Reader Guest

    Pre-shared keys are the least secure, and I don't use them for
    site-to-site VPNs.

    I use rsa-encr or rsa-sig, both are secure.

    With either of the RSA methods, you will need to generate an RSA key
    pair on each router. This is easily done; just locate and follow the
    procedure for enabling SSH. If you are currently using SSH or HTTPS to
    access the router, the keys are already there. Refer to my earlier post
    for commands to view a key pair.

    RSA-SIG requires a private key infrastructure (PKI), and is primarily
    intended to address issues of scalability.

    RSA-ENCR requires manual entry of the peer's public key into your local
    config.

    Both RSA methods are based on the "same" key pair.

    Use RSA-ENCR rather than pre-shared keys to improve your security
    posture. Pursue RSA-SIG if you have a large number of IPSec tunnel
    endpoints to lessen the administrative overhead.

    If you are worried about man in the middle attacks, concern yourself with:

    - The size of your RSA keys (modulus)
    - Lifetimes of the ISAKMP SA, and IPSec SAs
    - Choice of authentication and encryption transforms for ISAKMP and IPSec
    - DFH Group
    - PFS (Perfect Forward Secrecy)

    .... all of which are determined by your configuration choices.

    Best regards,
    News Reader


    Elia Spadoni wrote:
    > Hello
    > thank you for your really complete answers.
    >
    > So... the easisest to use is the pre-shared (not rsa type).
    >
    > But what is the most secure? If i put this method on a cleartext wireless
    > link (the one explained in the post above) which will be less prone to man
    > in the middle attack?
    >
    >
    > "News Reader" <> ha scritto nel messaggio
    > news:...
    >> When you first configure a device for SSH, or IPSec, you generate an RSA
    >> key pair (public and private keys).
    >>
    >> To view "your" public keys:
    >>
    >> router# sh crypto key mypubkey rsa
    >>
    >> It is your public key that you are providing to the admin of your VPN
    >> peer. He will manually enter your public key into the crypto config on his
    >> end. Likewise, you will enter the public key of his device into your
    >> crypto config.
    >>
    >> The resulting section of your config will look something like this:
    >>
    >> crypto key pubkey-chain rsa
    >> named-key peer.domain.com encryption
    >> address aaa.bbb.ccc.ddd
    >> key-string
    >> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >> XXXXX
    >> quit
    >>
    >> The "X"s will of course be hexadecimal numbers.
    >>
    >> To view the public keys of "others", that are presently in your config:
    >>
    >> router# sh crypto key pubkey-chain rsa
    >>
    >>
    >> Hopefully you are familiar with the basics of public key encryption. When
    >> you encrypt something with the peer's public key, only he can decrypt it
    >> with his private key, which he must closely guard.
    >>
    >> Best regards,
    >> News Reader
    >>
    >>
    >> Elia Spadoni wrote:
    >>> Thank you for your answers.
    >>>
    >>> But It is not clear to me what are the differencies between pre-shared
    >>> (the one I actually use) and the RSA-encr ?
    >>>
    >>> I always do site-to-site gre+ipsec tunnels.
    >>>
    >>>
    >>>

    >
    News Reader, Mar 23, 2008
    #6
  7. Elia Spadoni

    Elia Spadoni Guest

    Thanks again for your really helpful answer.
    Since in one of the end of vpn I will change the routers, at the moment I
    will keep pre-shared

    then I will switch to the rsa-encr


    Thank you a lot


    "News Reader" <> ha scritto nel messaggio
    news:...
    > Pre-shared keys are the least secure, and I don't use them for
    > site-to-site VPNs.
    >
    > I use rsa-encr or rsa-sig, both are secure.
    >
    > With either of the RSA methods, you will need to generate an RSA key pair
    > on each router. This is easily done; just locate and follow the procedure
    > for enabling SSH. If you are currently using SSH or HTTPS to access the
    > router, the keys are already there. Refer to my earlier post for commands
    > to view a key pair.
    >
    > RSA-SIG requires a private key infrastructure (PKI), and is primarily
    > intended to address issues of scalability.
    >
    > RSA-ENCR requires manual entry of the peer's public key into your local
    > config.
    >
    > Both RSA methods are based on the "same" key pair.
    >
    > Use RSA-ENCR rather than pre-shared keys to improve your security posture.
    > Pursue RSA-SIG if you have a large number of IPSec tunnel endpoints to
    > lessen the administrative overhead.
    >
    > If you are worried about man in the middle attacks, concern yourself with:
    >
    > - The size of your RSA keys (modulus)
    > - Lifetimes of the ISAKMP SA, and IPSec SAs
    > - Choice of authentication and encryption transforms for ISAKMP and IPSec
    > - DFH Group
    > - PFS (Perfect Forward Secrecy)
    >
    > ... all of which are determined by your configuration choices.
    >
    > Best regards,
    > News Reader
    >
    >
    > Elia Spadoni wrote:
    >> Hello
    >> thank you for your really complete answers.
    >>
    >> So... the easisest to use is the pre-shared (not rsa type).
    >>
    >> But what is the most secure? If i put this method on a cleartext wireless
    >> link (the one explained in the post above) which will be less prone to
    >> man in the middle attack?
    >>
    >>
    >> "News Reader" <> ha scritto nel messaggio
    >> news:...
    >>> When you first configure a device for SSH, or IPSec, you generate an RSA
    >>> key pair (public and private keys).
    >>>
    >>> To view "your" public keys:
    >>>
    >>> router# sh crypto key mypubkey rsa
    >>>
    >>> It is your public key that you are providing to the admin of your VPN
    >>> peer. He will manually enter your public key into the crypto config on
    >>> his end. Likewise, you will enter the public key of his device into your
    >>> crypto config.
    >>>
    >>> The resulting section of your config will look something like this:
    >>>
    >>> crypto key pubkey-chain rsa
    >>> named-key peer.domain.com encryption
    >>> address aaa.bbb.ccc.ddd
    >>> key-string
    >>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >>> XXXXXXXX
    >>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >>> XXXXXXXX
    >>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >>> XXXXXXXX
    >>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >>> XXXXXXXX
    >>> XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    >>> XXXXXXXX XXXXX
    >>> quit
    >>>
    >>> The "X"s will of course be hexadecimal numbers.
    >>>
    >>> To view the public keys of "others", that are presently in your config:
    >>>
    >>> router# sh crypto key pubkey-chain rsa
    >>>
    >>>
    >>> Hopefully you are familiar with the basics of public key encryption.
    >>> When you encrypt something with the peer's public key, only he can
    >>> decrypt it with his private key, which he must closely guard.
    >>>
    >>> Best regards,
    >>> News Reader
    >>>
    >>>
    >>> Elia Spadoni wrote:
    >>>> Thank you for your answers.
    >>>>
    >>>> But It is not clear to me what are the differencies between pre-shared
    >>>> (the one I actually use) and the RSA-encr ?
    >>>>
    >>>> I always do site-to-site gre+ipsec tunnels.
    >>>>
    >>>>
    >>>>

    >>
    Elia Spadoni, Mar 24, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    VBScript to generate strong WPA pre shared keys?

    Guest, Nov 6, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    951
    Anusha Dandapani [MSFT]
    Nov 15, 2004
  2. Darren Green
    Replies:
    1
    Views:
    2,444
    Darren Green
    Oct 20, 2004
  3. Will Dockery

    Re: OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, May 31, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    336
    Will Dockery
    Jun 1, 2005
  4. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    325
    Citizen_Cain
    Jun 1, 2005
  5. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    442
    Tom Bishop
    Jun 1, 2005
Loading...

Share This Page