R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

331

332

333

334

335

336

337

338

339

340

322

public key may be distributed widely. The private key cannot be practically derived from the public

key.

Asymmetric key algorithm applications

Asymmetric key algorithms can be used for encryption/decryption and digital signature.

• Encryption/decryption—the sender uses the public key of the intended receiver to encrypt the

information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt

the information. This mechanism guarantees confidentiality.

• Digital signature—the sender "signs" the information to be sent by encrypting the information with

its own private key. A receiver decrypts the information with the sender's public key and, based on

whether the information can be decrypted, determines the authenticity of the information.

The Revest-Shamir-Adleman Algorithm (RSA), and the Digital Signature Algorithm (DSA) are asymmetric

key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA isused for

signature only.

NOTE:

Symmetric key al

orithms are often used to encrypt/decrypt data for security. Asymmetric key al

orithms

are usually used in digital signature applications for peer identity authentication because they involve

complex calculations and are time-consuming. In digital signature applications, only the digests, which

are relatively short, are encrypted.

Configuring the local asymmetric key pair

You can create and destroy a local asymmetric key pair, and export the host public key of a local

asymmetric key pair.

Creating an asymmetric key pair

To create an asymmetric key pair:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a local DSA key pair,

or RSA key pairs.

public-key local create { dsa | rsa }

By default, no key pair is created.

The public-key local create rsa command generates two key pairs: one server key pair and one host key

pair. Each key pair comprises a public key and a private key. The public-key local create dsa command

generates only one key pair, the host key pair.

After you enter the command, you are asked to specify the modulus length. The length of an RAS or DSA

key modulus ranges from 512 to 2048 bits. To achieve higher security, specify a modulus at least 768 bits.

In FIPS mode, the DSA key modulus must be no less than 1024 bits, and the RSA key modulus must be

2048 bits.

NOTE:

Key pairs created with the public-key local create command are saved automatically and can survive

system reboots.