Asymmetric key algorithm applications, Configuring the local asymmetric key pair, Creating an asymmetric key pair – H3C Technologies H3C SecPath F1000-E User Manual

327

•

Asymmetric key algorithm—The keys for encryption and decryption are different, one is the public

key, and the other is the private key. The information encrypted with the public key can only be
decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the

public key may be distributed widely. The private key cannot be practically derived from the public

key.

Asymmetric key algorithm applications

Asymmetric key algorithms can be used for encryption/decryption and digital signature.

•

Encryption/decryption—the sender uses the public key of the intended receiver to encrypt the
information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt

the information. This mechanism guarantees confidentiality.

•

Digital signature—the sender "signs" the information to be sent by encrypting the information with
its own private key. A receiver decrypts the information with the sender's public key and, based on

whether the information can be decrypted, determines the authenticity of the information.

The Revest-Shamir-Adleman Algorithm (RSA), and the Digital Signature Algorithm (DSA) are asymmetric

key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA isused for

signature only.

NOTE:

Symmetric key algorithms are often used to encrypt/decrypt data for security. Asymmetric key algorithms
are usually used in digital signature applications for peer identity authentication because they involve

complex calculations and are time-consuming. In digital signature applications, only the digests, which
are relatively short, are encrypted.

Configuring the local asymmetric key pair

You can create and destroy a local asymmetric key pair, and export the host public key of a local

asymmetric key pair.

Creating an asymmetric key pair

To create an asymmetric key pair:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a local DSA key pair,
or RSA key pairs.

public-key local create { dsa | rsa }

By default, no key pair is created.

The public-key local create rsa command generates two key pairs: one server key pair and one host key
pair. Each key pair comprises a public key and a private key. The public-key local create dsa command

generates only one key pair, the host key pair.
After you enter the command, you are asked to specify the modulus length. The length of an RAS or DSA

key modulus ranges from 512 to 2048 bits. To achieve higher security, specify a modulus at least 768 bits.

In FIPS mode, the DSA key modulus must be no less than 1024 bits, and the RSA key modulus must be
2048 bits.