R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
121
• Encryption/decryption: The information encrypted with a receiver's public key can be decrypted by
the receiver possessing the corresponding private key. This is used to ensure confidentiality.
• Digital signature: The information encrypted with a sender's private key can be decrypted by
anyone who has access to the sender's public key, thereby proving that the information is from the
sender and has not been tampered with. For example, user 1 adds a signature to the data using the
private key, and then sends the data to user 2. User 2 verifies the signature using the public key of
user 1. If the signature is correct, the data is considered from user 1.
Revest-Shamir-Adleman Algorithm (RSA) and Digital Signature Algorithm (DSA) are both asymmetric key
algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA is used for
signature only.
NOTE:
A
symmetric key al
g
orithms are usually used in di
g
ital si
g
nature applications for peer identity
authentication because they involve complex calculations and are time-consuming; symmetric key
algorithms are often used to encrypt/decrypt data for security.
Configuring the local asymmetric key pair
You can create and destroy a local asymmetric key pair, and export the host public key of a local
asymmetric key pair.
Creating an asymmetric key pair
Follow these steps to create an asymmetric key pair:
To do… Use the command…
Remarks
Enter system view system-view —
Create a local DSA key pair
or RSA key pairs
public-key local create { dsa |
rsa }
Required
By default, there is no such key pair.
NOTE:
• Configuration of the public-key local create command can survive a reboot.
• The public-key local create rsa command
g
enerates two key pairs: one server key pair and one host
key pair. Each key pair consists of a public key and a private key.
• The length of an RSA key modulus is in the range 512 to 2048 bits. After entering the public-key local
create rsa command, you will be required to specify the modulus length. For security, a modulus of a
t
least 768 bits is recommended.
• The public-key local create dsa command generates only one key pair, that is, the host key pair.
• The length of a DSA key modulus is in the range 512 to 2048 bits. After entering the public-key local
create dsa command, you will be required to specify the modulus length. For security, a modulus of a
t
least 768 bits is recommended.
Displaying or exporting the local RSA or DSA host public key
You can display the local RSA or DSA host public key on the screen or export it to a specified file, so as
to configure the local RSA or DSA host public key on the remote end.