Virtual Private Network Wireless
Transcript of Virtual Private Network Wireless
Corporate Template06/98
Page 13Com Corporation
Virtual Private NetworkVirtual Private Network&&
WirelessWireless
Ing. Mirko TedaldiCryptoNet S.p.A.
OverviewOverview•• Virtual Private NetworkVirtual Private Network•• Wireless scenarioWireless scenario•• Wireless VPNWireless VPN•• Wireless LANWireless LAN•• MM--commerce and Wireless Public Key commerce and Wireless Public Key InfrastructureInfrastructure
Corporate Template06/98
Page 23Com Corporation
I due tipi di algoritmi I due tipi di algoritmi crittograficicrittografici
••Crittografia simmetricaCrittografia simmetrica ( o a chiave segreta): utilizza una sola chiave crittografica che deve essere posseduta sia dal mittente sia dal destinatario del messaggio
••Crittografia asimmetricaCrittografia asimmetrica (o a chiave pubblica):utilizza una coppia di chiavi (una pubblica e l’altra privata) possedute entrambi da un unico proprietario
I Certificati ElettroniciI Certificati Elettronici
Mirko TedaldiCA: CryptoNet
Valido dal 16/1/2000 al 15/1/2001Valore della chiave pubblica
Informazionicontenute nel
certificato
Firma della CA
Chiave privatadella CA
Corporate Template06/98
Page 33Com Corporation
ThirdThird--Party TrustParty Trust
Alice Bob
Autorità di Certificazione
Garantisce la corrispondenza tra chiave pubblica e soggetto attraverso i certificati certificati digitalidigitali
Virtual Private Network Virtual Private Network (VPN)(VPN)
Corporate Template06/98
Page 43Com Corporation
What is a VPN?What is a VPN?• At its simplest, a VPN (Virtual Private
Network) is a network built on top of the services of another network– often VPNs are built on the public Internet, but
not always
Network
Network
Network
Network
Network
Network
Network
Network
Network
NetworkNetwork
Network
Network Network
Network
Network
Network
NetworkParis Office
Sydney Office
New York Office Tokyo Office
Prevailing MethodsPrevailing Methods
Internet
HQ LanRemote Office Lan
Modem Pool
RouterRouter
Firewall
Roaming User
Home User
Corporate Template06/98
Page 53Com Corporation
VPN MethodsVPN Methods
Internet
HQ LanRemote Office Lan
Modem Pool
RouterRouter
Firewall
Roaming User
Home User
Encrypted TunnelClear Text Clear Text
•• Intranet VPN:Intranet VPN:• between a central corporate and branch offices
•• Remote VPN:Remote VPN:• between a central corporate and individual remote
users•• Extranet VPN:Extranet VPN:
• between an enterprise and its business partners, suppliers and customers
Remote VPN and Extranet VPN include not only mobile devices like laptops, but wireless handheld devices like PDAs and smart phone.
Uses for Uses for VPNsVPNs
Corporate Template06/98
Page 63Com Corporation
Business Reasons for VPNsBusiness Reasons for VPNs
• Increased business being done over Internet• Secures communications at network layer
(IP) across all applications (including legacy apps)
• Cost effective for remote access: compare to a modem pool and long distance charges
“How often do they dial in and for how long? What about
international calls? What will it cost to maintain this?”
The Nature of Secure VPNsThe Nature of Secure VPNs• The classic problems
– authentication– integrity– confidentiality
“Which devices do I trust? Which client machines do I
trust? Is anyone able to monitor my session? Is anyone able to
hijack my session?”
Corporate Template06/98
Page 73Com Corporation
IP Header
IP Header
IPSec Header(s)AH/ESP
IPSec Header(s)AH/ESP
IP Data (Encrypted)
IP Data (Encrypted)
An outline of IPSecAn outline of IPSec• “The goal of the IPSec architecture is to provide various
security services for traffic at the IP layer, in both the IPv4 and IPv6 environments.” (IETF-RFC2401)
• Interoperable authentication, integrity and encryption
Encapsulating Security Payload Header (ESP)
Encapsulating Security Payload Encapsulating Security Payload Header (ESP)Header (ESP)
• ESP header is prepended toIP datagram
• Confidentiality through encryption of IP datagram
• Integrity through keyed hash function
Security Parameter Index (SPI)Security Parameter Index (SPI)
Sequence Number FieldSequence Number Field
Padding (If Any)Padding (If Any)
PadLength
PadLength
NextHeaderNext
Header
Initialization VectorInitialization Vector
Authentication DataAuthentication Data
Payload DataPayload Data
Corporate Template06/98
Page 83Com Corporation
NextHeaderNext
HeaderPayloadLength
PayloadLength RESERVEDRESERVED
Security Parameter Index (SPI)Security Parameter Index (SPI)
Sequence Number FieldSequence Number Field
Authentication DataAuthentication Data
AuthenticationAuthenticationHeader (AH)Header (AH)
• AH header is prepended to IP datagram or to upper-layer protocol
• IP datagram, part of AH header, and message itself are authenticated with a keyed hash function
Authentication in IPSecAuthentication in IPSec
•• PrePre--shared keysshared keys– Single key or passphrase per peer– Still results in huge numbers of keys in
meshed networks
• Digital signature and certificates (PKI)– Third Party Trust minimizes the number of
keys required for strong authentication
Corporate Template06/98
Page 93Com Corporation
Why is PKI important to Why is PKI important to VPN?VPN?
• It is relatively easy to build a secure pipe or tunnel between two nodes or users on a public network
• Unless you know exactly who is at both ends of the pipe it has little value (initial authentication is fundamental)
• Digital certificates provide a means to strongly authenticate users and devices in a VPN tunnel
• A managed PKI provides a scalable platform upon which to build large, secure, and trusted VPN’s.
ScalabilityScalability
• VPNs do not scale without using public-key certificates
Effort ∝ n2 Effort ∝ n
Withcertificates
WithoutCertificates(fully-meshed)
PresharedKeys
Certificates
Corporate Template06/98
Page 103Com Corporation
VPN + PKIVPN + PKI
Internal network
Internal network
VPNVPN
PKIPKI
IPSec SessionsIPSec Sessions
IKE (1) ISAKMP SA
IKE(2) IPSEC SA IPSEC SAIKE(2)Ip tunneled Ip tunneled
IKE(2) IPSEC SA IPSEC SAIKE(2)Ip tunneled Ip tunneled
From net Ato net B
From net Ato net C
Corporate Template06/98
Page 113Com Corporation
IKEIKE
Utilizzato per effettuare l’autenticazione tra i punti terminali della VPN e per lo scambio delle chiavi delle sessioni IPSEC. Si appoggia sul protocollo UDP (porta 500).
• phase 1phase 1 - durante questa fase avviene l’autenticazione tra i punti terminali della VPN (sessione ISAKMP),
• phase 2phase 2 - in questa fase vengono contrattati gli algoritmi, la lunghezza della chiave, la durata massima della sessione e la chiave di sessione per le sessioni IPSEC
Router
Firewall
Insecure Channel
Security Association (SA)Security Association (SA)
• Agreement between two entities on method to communicate securely
• Unidirectional—two-way communication consists of two SAs
Corporate Template06/98
Page 123Com Corporation
CA
ROUTER 1
VPN GCI
SLAVE 1 DIR
SLAVE 2 DIR
VPN CON.
CA ADMNI
MASTER DIR
ROUTER 2
VPN VPN ArchitectureArchitecture
Protocollo Funzionalità PortaTCP
CMPCertificate Management Protocol
Key and certificate management 829
LDAPLightweight Directory Access Protocol
Accesso a directory X.500 attraversoTCP/IP
389
DISPDirectory Shadowing Protocol
Shadowing tra master directory e slave directory
102
CEPCertificate Enrollment Protocol
Enrollment dei router Cisco 1600
HTTPHypertext Transfer Protocol
Accesso tramite web server alla CGI del VPN Connector
80
Protocolli di ComunicazioneProtocolli di Comunicazione
Corporate Template06/98
Page 133Com Corporation
Protocollo Funzionalità PortaTCP
SPKMSimple Public-Key GSS-API Mechanism
Amministrazione remota della CAattraverso l’interfaccia Entrust/Admin
710
DAPDirectory Access Protocol
Amministrazione remota delle directoryattraverso l’interfaccia DAC
102
Protocolli di AmministrazioneProtocolli di Amministrazione
Sorgente Destinatario Protocol Azione
ENROLLMENT
Router VPN CGI HTTP Richiesta di enrollement
VPN CGI VPN Connector CEP Dispatch della richiesta dienrollment
VPN Connector Certification Authority
SEP Abilitazione del router nellaCA
Certification Authority
Master Directory LDAP Pubblicazione dei certificati dei router
Master Directory Slave Directory DISP Update delle copie shadow
Le Le comunicazioni comunicazioni in in una una VPN (1)VPN (1)
Corporate Template06/98
Page 143Com Corporation
IPSEC
Router Slave Directory LDAP Scaricamento delle CRL
REVOCA
VPN Connector Master Directory LDAP Revoca dei certificati deirouter
Sorgente Destinatario Protocol Azione
Le Le comunicazioni comunicazioni in in una una VPN (2)VPN (2)
The customerThe customer
• Name : Omnitel Pronto ItaliaOmnitel Pronto Italia
• Importance: 2nd mobile operator in the world
• Subscribers: > 9M
Corporate Template06/98
Page 153Com Corporation
The projectThe project
• Name: Omnitel2000• Scope: use GSM as distribution points
of new services (from horoscope to finance)
• Challenge: time to market• Requirements: availability of service,
scalability
The solutionThe solution
• Idea: create a star network between Omnitel and content providers, use IP over CDN, authenticate end-points
• Products: Cisco routers (the net), Entrust/PKI, Entrust/VPN Connector, PeerLogic i500 directory
• Results: 1st (for birth) and 2nd (for growth = 1000 routers) largest VPN in the world based on this technology
Corporate Template06/98
Page 163Com Corporation
Il processo di enrollmentIl processo di enrollment
Quando un nuovo router entra a far parte di una VPN occorre innanzitutto effettuare il processo di enrollment, che consiste in :• autenticazione e riconoscimento della certification authority,• generazione delle coppie di chiavi crittografiche,• richiesta di certificazione delle chiavi ed ottenimento dei proprio certificati digitali
Il processo di enrollmentIl processo di enrollment1° passo : il riconoscimendo dell’authority
RA(VPN Connector)
CERTS?
Corporate Template06/98
Page 173Com Corporation
1° passo : il riconoscimendo dell’authority
RA(VPN Connector)
Fingerprint:aa:b0:c2:...
Fingerprint ?Aa:b0:c2:...
Il processo di enrollmentIl processo di enrollment
2° passo : generazione delle chiavi a bordo del router
RA(VPN Connector)
CA:o=cryptonet,c=it
Il processo di enrollmentIl processo di enrollment
Corporate Template06/98
Page 183Com Corporation
3° passo : certificazione delle chiavi pubbliche
RA(VPN Connector)
CA:o=cryptonet,c=it
Per favorecertificare
Il processo di enrollmentIl processo di enrollment
3° passo : certificazione delle chiavi pubbliche
RA(VPN Connector)
CA:o=cryptonet,c=it
Fingerprint:b2:c4:e6:00:…e9:aa:cc:01:...?
b2:c4:e6:00:…e9:aa:cc:01:...Fingerprint ?
Il processo di enrollmentIl processo di enrollment
Corporate Template06/98
Page 193Com Corporation
3° passo : certificazione delle chiavi pubbliche
CA:o=cryptonet,c=it
GRANT!
CA
Il processo di enrollmentIl processo di enrollment
Fine : il router possiede tutto il materiale necessario per farsi riconoscere.
CA:o=cryptonet,c=it
Il processo di enrollmentIl processo di enrollment
Corporate Template06/98
Page 203Com Corporation
• Viene effettuato una tantum,• è un processo complesso e molto delicato,• la procedura deve essere eseguita
scrupolosamente per non comprometterne la validità,
• coinvolge diversi attori :– Amministratori del router,
– Amministratori della VPN (RA),
– Amministratori della CA
Il processo di enrollmentIl processo di enrollment
L’autenticazione tra L’autenticazione tra routersrouters
Durante il normale funzionamento della VPN, gli unici momenti in cui vi è un contatto con la PKI è durante la fase di autenticazione:
ca trust
DIRECTORY X.500
CRL ?Revoked certs:012342143,123234213,234342343,333242324
OK!
Corporate Template06/98
Page 213Com Corporation
Il download delle CRLIl download delle CRLDurante il normale funzionamento della VPN, l’unica interazione con la PKI avviene con la sola directory, per ottenere le CRL più aggiornate:
• non richiede alcuna operazione manuale,• viene effettuata soltanto quando scade l’ultima CRL che è stata scaricata
OMNITEL Network ArchitectureOMNITEL Network Architecture
FirewallNMC
IPCN
CA LAN
SERVICE LAN
CertificationAuthority
DB(1) DB(n)
X.500master
FirewallOMC
SERVICE LAN
X.500shadow3
X.500shadow4
VPN RA GUI
CA ADMIN GUI
ROUTER ACCESSOMILANO
Router del provider
Col
lega
men
toIS
DN
/CD
N/
(In t
e rne
t)
ContentProvider
ROUTER ACCESSOROMA
Router del provider
ContentProvider
OMNINETFirewallOmniNet
ROUTER ACCESSONAPOLI,
BOLOGNA,etc.
Router del provider
ContentProvider
X.500shadow1 +
VPN ConnectorCGI
X.500shadow2
Shadowing
Shadowing
Corporate Template06/98
Page 223Com Corporation
Wireless Wireless
&&
SecuritySecurity
Virtual Enterprise today…Virtual Enterprise today…
Corporate Template06/98
Page 233Com Corporation
… add devices… add devices
Corporate Template06/98
Page 243Com Corporation
Internet UsersInternet Users
The addressable market for secure wireless transactions is massive and growing at a faster rate than for secure
desktop transactions!
0
10
20
30
40
50
60
0 10 20 30 40 50 60 70 80 90
Usa
Giappone
Belgio
Francia
Germania
Grecia
SpagnaPortogallo
UK
Norvegia
NL SvizzeraIrlanda
Austria
LussemburgoItalia
Danimarca
Svezia
Finlandia
Penetrazione Mobile, in %
Pene
traz
i on e
In t
e rn e
t, i n
%
Fonte: Smau/EITO 2001
Mobile users Mobile users vs InterNet vs InterNet UsersUsers
Corporate Template06/98
Page 253Com Corporation
•Data that is bursty and always-on, needs a packet infrastructure (vs. modem pool arrangement)
Wireless DataWireless Data
3G3G
2.5G2.5G
2G2G
2 Mbps
‘up to’100 Kbps
9.6 Kbps Today, circuit switched
2001, packet switched
2003, packet switched
0
200.000.000
400.000.000
600.000.000
800.000.000
1.000.000.000
1.200.000.000
1.400.000.000
1999 2000 2001 2002 2003 2004
WAP-capableTotal Cellular/PDAsPCs (wired connections)
Source: IDC, 2000
Market is huge!Market is huge!
Corporate Template06/98
Page 263Com Corporation
250 milioni di utenti di telefonia mobile nel 2000 (+60% a fine 1999)
400 milioni di utenti di telefonia mobile nel 2003
penetrazione pari al 100% in molti Paesi
gli utenti di Internet raddoppieranno prima del 2005 rispetto ai 120 milioni del 2000
MOBILE E-COMMERCE
2001: 24 milioni di utenti
2003: 100 milioni di utenti e 38 miliardi di Euro di ricavi
2005: 175 milioni di utenti e 86 miliardi di Euro di ricavi
Lo scenario del Mobile ELo scenario del Mobile E--commerce commerce in Europa Occidentalein Europa Occidentale
VPN on GSM/GPRSVPN on GSM/GPRS
Corporate Template06/98
Page 273Com Corporation
Wireless VPNWireless VPN
•Modem Pool
PDA users
•Internet
•HQ•Lan•Remote Office•Lan
•Router•Router
•Firewall
Encrypted TunnelClear Text Clear Text
PDA: PDA: iPAQ iPAQ Pocket PCPocket PC
Modem 56KEthernet 100MBps (Q4/01)
Connectivity
GSM/GPRS (Q1/02)Bluetooth (Q4/01)IEEE 802.11
Wireless pack
Up to 128MB(or 1GB removable HD)
Memory card slot
USB, serial, InfraredPorts
TFT LCD 240x320 64K color
Display
MS Pocket PC 2000/2002 (MS Win CE 3.0)
O.S.16MB – 32MB (flash)ROM32MB – 64MBRAM
Intel StrongARM 32-bit RISC 206MHz
Processor
Corporate Template06/98
Page 283Com Corporation
Wireless VPN Wireless VPN vs Wireline vs Wireline VPNVPN
• Dedicated dial-up modem to access an ISP through the telephone network
• Wireless modem to access a local LAN
• Modem with data-capable mobile phone to access the ISP
Wireless connectionsWireless connections
Corporate Template06/98
Page 293Com Corporation
Wireless LANs:Wireless LANs:
IEEE 802.11bIEEE 802.11b
IEEE 802.11bIEEE 802.11b
•It defines the standard for wireless LAN products that operate at an Ethernet-like data rate of 11 Mbps
•Interoperability of wireless LAN products from different vendors is ensured by an independent organization called the Wireless Ethernet Compatibility Alliance (WECA; see http://www.wi-fi.com), which brands compliant products as “Wi-Fi.”
•Security: access control and privacy between clients and access points
Corporate Template06/98
Page 303Com Corporation
Security:Security:Wired LANs Wired LANs vs vs Wireless LANs (1)Wireless LANs (1)
Wired LANWired LAN1) Access Control:
it is governed by access to an Ethernet port for that LAN.
⇒ access control for a wired LAN often is viewed in terms of physical access to LAN ports.
2) Privacy:
data transmitted is directed to a particular destination,
⇒ privacy cannot be compromised unless someone uses specialized equipment to intercept transmissions on their way to their destination.
Security:Security:Wired LANs Wired LANs vs vs Wireless LANs (2)Wireless LANs (2)
Wireless LANWireless LAN1) Access Control:
transmitted data is broadcast over the air using radio waves
⇒ it can be received by any wireless LAN client in the area served by the data transmitter
2) Privacy:
there is no way to direct a wireless LAN transmission to only one recipient.
Installing a wireless LAN may seem like putting Ethernet ports Installing a wireless LAN may seem like putting Ethernet ports everywhereeverywhere
Corporate Template06/98
Page 313Com Corporation
Virtual Private NetworkVirtual Private Network::• VPN is independent of any native wireless
LAN security schema• VPN runs transparently over a wireless LAN
(as for wired LAN)
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP):• An optional encryption schema stipulated by
IEEE 802.11
How to secure a Wireless LANHow to secure a Wireless LAN
• WEP uses a symmetric schema• Its goals are:
• Access control• Privacy
• Software or hardware implementation of WEP• Two schema for defining the WEP keys:
1) Default key schema2) Key mapping schema
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)
Corporate Template06/98
Page 323Com Corporation
• Two type of authentication methods: open and share key• The authentication method must be set on each client and
the setting should match that of the access point with which the client wants to associate
• OPEN (default): the entire authentication process is done in clear-text, and a client can associate with an access point even without supplying the correct WEP key.
• SHARED KEY: the access point sends the client a challenge text packet that the client must encrypt with the correct WEP key and return to the access point. If the client has the wrong key or no key, it will fail authentication and will not be allowed to associate with the access point.
WEP AuthenticationWEP Authentication
Wireless Solutions forWireless Solutions for
Mobile Commerce:Mobile Commerce:
Wireless PKIWireless PKI
Corporate Template06/98
Page 333Com Corporation
WAPServer(WTLS)
WEBServer(SSL)
New or Existing Back End Systems
End to End Security
Mobile Operator
Internet Service Provider
Browser(SSL)
Micro-Browser(WTLS)
WEB / WAP ParallelsWEB / WAP Parallels
Security services in WAPSecurity services in WAP
Corporate Template06/98
Page 343Com Corporation
Gateway AuthenticationGateway Authentication
WAP Currentproducts
Client (phone) authenticationClient (phone) authentication
No availableWAP products
Corporate Template06/98
Page 353Com Corporation
Digital SignatureDigital Signature
No availableWAP products
DDeficiencieseficiencies of WAP of WAP (1)(1)•WAP-mobile are not widespread today
•Phone manufacturers go on selling non-WAP-mobile (less expensive and not perceived add-value)
•Many users do not use WAP features (or unable to)
•No “pure WAP solution” available for client authentication and signing transactions (only with WAP 1.2)
•No push of a signing request to the users mobile phone
Corporate Template06/98
Page 363Com Corporation
DDeficiencieseficiencies of WAP of WAP (2)(2)
•We have to use GSM (with WAP, if there’s)
•ALL mobile phones uses GSM
•We can use Short Message Services (SMS)
for every operations
or just for operations that WAP does not implemented yet
•SMS are more user-friendly than WAP browsers
•Hence, hybrid solution between SMS e WAP
SAT WAP
CD Shop
Internet Gateway
WAPInternet Gateway
SAT
GSM
Wirelesswallet
Internet
Terminals
Wireless Internet
CD-storeWeb Server
WAP
SAT
MM--commercecommerce
••Web BrowserWeb Browser
••WAP BrowserWAP Browser
••SIM Application Toolkit SIM Application Toolkit Browser (WIB)Browser (WIB)
Corporate Template06/98
Page 373Com Corporation
Menu structure on Mobile Phone
Phone book
Messages
Network
Settings
News Service
Headlines
…
Local
Sports
Weather
Exchange Rates
Traffic
Menu structure on Web Site
Tennis
Ice Hockey
Basketball
Water Polo…
Sweden and Finlandare meeting each other in what expects to be the game of the year...
Informationon Web Site
Movie TicketsBanking
…
Browsing services located on SIM Browsing services located on SIM and/or weband/or web--wapwap sitesite
Phone Manufacturer
Card Manufacturer
Mobile Operator End user
CA root key and/or certificate may be placed in firmware
mask from an image file provided by
Certificate Authority
CA root key and/or certificate may be
placed on SIM from an image file provided by
Certificate Authority
End User Encryption key-pair and digital signature key-pair pre-generated and
stored on SIM
End User enrollment at Mobile Operator:
End User Encryption Public Key and
Verification Public Key sent to
Certificate Authority for “binding” to
certificates.
Returned certificates stored on SIM or on
the network.
End User enrollment Over the Air:
End User Encryption Public Key and
Verification Public Key sent to Certificate
Authority for “binding” to certificates.
Returned certificates stored on SIM or on
the network.
Service Provider
End User enrollment at Service Provider:
End User Encryption Public Key and
Verification Public Key sent to
Certificate Authority for “binding” to
certificates.
Returned certificates stored on SIM or on
the network.
Key (& Certificate) Insertion PointsKey (& Certificate) Insertion Points
Corporate Template06/98
Page 383Com Corporation
Wireless PKI SystemWireless PKI System
SMS-CIPIP or X.25
Wireless Wallet
Content provider
ApplicationCD-Shop
SmartTrust Certificate Manager and clients
Directory
SmartTrust DeliveryPlatform
SmartTrust security server
SAT enabled handset with WIB and Smarttrust SIM security client
WEB access
WAP or SAT access
SIM=Subscriber Identity Module
SAT =SIM Application Toolkit
WIB=Wireless Internet Browser
Corporate Template06/98
Page 393Com Corporation
QuestionQuestionTimeTime
[email protected]@cryptonet.it
Altro Altro materialemateriale
Corporate Template06/98
Page 403Com Corporation
CA definitionCA definition
• ip domain-name cryptonet.it• crypto ca identity myCA• enrollment mode ra• enrollment url http://192.168.0.1/cgi-bin• query url ldap://192.168.0.2• crl optional
An example of Cisco An example of Cisco ConfigurationConfiguration
Step 1—Generate Public/Private KeysStep 1—Generate Public/Private Keyscisco(config)#crypto key gen rsa usage-keyThe name for the keys will be: mirko.cryptonet.itChoose the size of the key modulus in the range of 360 to 2048 for yourSignature Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [1024]:Generating RSA keys ...[OK]Choose the size of the key modulus in the range of 360 to 2048 for yourEncryption Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [1024]:Generating RSA keys ...[OK]
An example of Cisco An example of Cisco ConfigurationConfiguration
Corporate Template06/98
Page 413Com Corporation
#sho crypto key mypublic rsa% Key pair was generated at: 01:18:43 UTC Mar 1 1999Key name: mirko.cryptonet.itUsage: Signature KeyKey Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BEDC6C FBD327FC2AFC7521 F2DE3D04 D3239759 7908C8F1 64F0E58F 0116CF6A 897D6210 2D4BFC80CE41DF7B AA75ECAA 6680B13F 30F079BE DD361565 A325B72A 3D020301 0001
% Key pair was generated at: 01:18:45 UTC Mar 1 1993Key name: mirko.cryptonet.itUsage: Encryption KeyKey Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C06DC2 3AE2BF72CE9FD6F6 55C13A0D A3C183D5 1E7E4523 E8863DDC D852FD32 86461BBC F10EEA778A6A5AC9 AFEF6B0A 03107565 03384DB4 4E6C4A77 0C594B10 31020301 0001
Step 1—Generate Public/Private KeysStep 1—Generate Public/Private Keys
An example of Cisco An example of Cisco ConfigurationConfiguration
Cisco(config)#cryp ca authenticate myCACertificate has the following attributes:Fingerprint: 1A5416D6 2EEE8943 D11CCEE1 3DEE9CE7% Do you accept this certificate? [yes/no]: y
Step 2—Request the CA and RA CertificatesManually verify Fingerprint of CAStep 2—Request the CA and RA CertificatesManually verify Fingerprint of CA
An example of Cisco An example of Cisco ConfigurationConfiguration
Corporate Template06/98
Page 423Com Corporation
Step 2—Request the CA and RA CertificatesManually verify Fingerprint of CAStep 2—Request the CA and RA CertificatesManually verify Fingerprint of CA
An example of Cisco An example of Cisco ConfigurationConfiguration
cisco(config)#crypto ca enroll myCA% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.
Password:Re-enter password:
% The subject name in the certificate will be: mirko.cryptonet.it% Include the router serial number in the subject name? [yes/no]: n% Include an IP address in the subject name? [yes/no]: nRequest certificate from CA? [yes/no]: y
Step 3—Enrol the Router with the CAStep 3—Enrol the Router with the CA
An example of Cisco An example of Cisco ConfigurationConfiguration
Corporate Template06/98
Page 433Com Corporation
cisco(config)#Signing Certificate Request Fingerprint:4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB
Encryption Certificate Request Fingerprint:D33447FE 71FF2F24 DA98EC73 822BE4F7
Step 3—Enrol the Router with the CAFingerprints sent to CA for manual verificationStep 3—Enrol the Router with the CAFingerprints sent to CA for manual verification
An example of Cisco An example of Cisco ConfigurationConfiguration
Step 3—Enrol the Router with the CAFingerprints sent to CA for manual verificationStep 3—Enrol the Router with the CAFingerprints sent to CA for manual verification
An example of Cisco An example of Cisco ConfigurationConfiguration
Corporate Template06/98
Page 443Com Corporation
cisco#show crypto ca certificateCertificate
Subject NameName: mirko.cryptonet.it
Status: PendingKey Usage: SignatureFingerprint: 4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB
CertificateSubject Name
Name: mirko.cryptonet.itStatus: PendingKey Usage: EncryptionFingerprint: D33447FE 71FF2F24 DA98EC73 822BE4F7
Step 4—CA grants CertificatesStatus Pending -> AvailableStep 4—CA grants CertificatesStatus Pending -> Available
An example of Cisco An example of Cisco ConfigurationConfiguration
Step 4—CA grants CertificatesStep 4—CA grants Certificates
An example of Cisco An example of Cisco ConfigurationConfiguration