Asymmetric key algorithm applications, Configuring the local asymmetric key pair, Creating an asymmetric key pair – H3C Technologies H3C SecPath F1000-E User Manual
Page 339
327
•
Asymmetric key algorithm—The keys for encryption and decryption are different, one is the public
key, and the other is the private key. The information encrypted with the public key can only be
decrypted with the corresponding private key, and vice versa. The private key is kept secret, and the
public key may be distributed widely. The private key cannot be practically derived from the public
key.
Asymmetric key algorithm applications
Asymmetric key algorithms can be used for encryption/decryption and digital signature.
•
Encryption/decryption—the sender uses the public key of the intended receiver to encrypt the
information to be sent. Only the intended receiver, the holder of the paired private key, can decrypt
the information. This mechanism guarantees confidentiality.
•
Digital signature—the sender "signs" the information to be sent by encrypting the information with
its own private key. A receiver decrypts the information with the sender's public key and, based on
whether the information can be decrypted, determines the authenticity of the information.
The Revest-Shamir-Adleman Algorithm (RSA), and the Digital Signature Algorithm (DSA) are asymmetric
key algorithms. RSA can be used for data encryption/decryption and signature, whereas DSA isused for
signature only.
NOTE:
Symmetric key algorithms are often used to encrypt/decrypt data for security. Asymmetric key algorithms
are usually used in digital signature applications for peer identity authentication because they involve
complex calculations and are time-consuming. In digital signature applications, only the digests, which
are relatively short, are encrypted.
Configuring the local asymmetric key pair
You can create and destroy a local asymmetric key pair, and export the host public key of a local
asymmetric key pair.
Creating an asymmetric key pair
To create an asymmetric key pair:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create a local DSA key pair,
or RSA key pairs.
public-key local create { dsa | rsa }
By default, no key pair is created.
The public-key local create rsa command generates two key pairs: one server key pair and one host key
pair. Each key pair comprises a public key and a private key. The public-key local create dsa command
generates only one key pair, the host key pair.
After you enter the command, you are asked to specify the modulus length. The length of an RAS or DSA
key modulus ranges from 512 to 2048 bits. To achieve higher security, specify a modulus at least 768 bits.
In FIPS mode, the DSA key modulus must be no less than 1024 bits, and the RSA key modulus must be
2048 bits.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS