Re: Using RSA encr authentication on PIX

jefforsi · ‎03-17-2004

Hi,

Pix have support to use RSA encr as authentication method, I found at documentation that PIX only supports RSA Sig (using CA) or pre-shared key...

Because I need to do a VPN site-to-site between a Cisco Router (that supports RSA encr) and a PIX.

If it is not supported when it will be available?

Tks

mostiguy · ‎03-17-2004

it likely is not, assuming you mean rsa encrypted nonces. IOS is the only cisco OS that supports it, pix os and vpn 3000 os do not.

just use pre shared keys.

jefforsi · ‎03-18-2004

The problem is that pre-shared keys are not acceptable for security reasons.

jefforsi · ‎03-18-2004

The problem is that pre-shared keys are not acceptable for security reasons.

mostiguy · ‎03-18-2004

then set up a CA with openssl, windows server, etc. rsa encrypted nonces do not provide for nonrepudiation, which is probably why support for their usage is hard to come by.

disclaimer - I am not a cryptographer:

using long pre shared keys, with one for each tunnel (i.e, not using the same key for every tunnel you will create) on a point to point tunnel (that will only be negotiated between two ip addresses, as opposed to a tunnel open for dynamic tunnel creation) is probably at least as secure as rsa nonces, if not more so. I would tend to think it would be more secure, as it should supply nonrepudiation as you can claim that both sides have the same key, and therefore must be liable for their actions.