Creating a local key pair, Configuration guidelines – H3C Technologies H3C S6300 Series Switches User Manual
Page 189
174
Creating a local key pair
Configuration guidelines
When you create a local key pair, follow these guidelines:
•
The key algorithm must be the same as required by the security application.
•
The key modulus length must be appropriate (see
). The longer the key modulus length, the
higher the security, the longer the key generation time.
•
If you do not assign the key pair a name, the system assigns the default name to the key pair and
marks the key pair as default. You can also assign the default name to another key pair, but the
system does not mark the key pair as default.
•
The name of a key pair must be unique among all manually named key pairs that use the same key
algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict
occurs, the system asks whether you want to overwrite the existing key pair.
•
The key pairs are automatically saved and can survive system reboots.
Table 8 A comparison of different types of asymmetric key algorithms
Type
Number of key pairs
Modulus length
H3C recommendation
RSA
•
In non-FIPS mode:
{
If you specify the key pair name,
the command creates a host key
pair.
{
If you do not specify the key pair
name, the command creates one
server key pair and one host key
pair, and both key pairs use their
default names.
•
In FIPS mode:
If you do not specify a key pair name,
the command creates a host key pair
with the default name.
•
In non-FIPS mode:
512 to 2048 bits and
defaults to 1024 bits.
•
In FIPS mode:
2048 bits
At least 768 bits
DSA
The command only creates one host key
pair.
•
In non-FIPS mode:
512 to 2048 bits and
defaults to 1024 bits.
•
In FIPS mode:
2048 bits
At least 768 bits
ECDSA
The command only creates one host key
pair.
•
192 bits, when the
secp192r1 curve is
used to create the key
pair.
•
256 bits, when the
secp256r1 curve is
used to create the key
pair.
N/A
NOTE:
Only SSH 1.5 uses the RSA server key pair.