1.8.1 Public Key Infrastructure (PKI)

1.8.1 Public Key Infrastructure (PKI)

Uses X509v3 format to generate certificate
The Certificate Authority is a trusted 3rd party authority by both the peer who exchange the certificates for authenticating each other
PKI is a service framework, needed to support large-scale public key based technologies

Usage RSA Keys

Usage keys consist of two RSA key pairs--one RSA key pair is generated and used for encryption and one RSA key pair is generated and used for signatures. With usage keys, each key is not unnecessarily exposed.
(Without usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose RSA Keys
General-purpose keys consist of only one RSA key pair that used for both encryption and signatures. General-purpose key pairs are used more frequently than usage key pairs

There are 3 types of Certificates:

Root Certificate

- It is the certificate sent by CA to tell that it is a trusted authority
- Certificate Format
- - Serial Number
  - Issuer Name
  - Valid From
  - Valid To
  - Subject
  - IP Address
  - Exit Interface
  - Domain Name
  - Public Key
Identity Certificate
- This is the certificate issued to the peer who is requesting the certificate
Self Signed Certificate
- This is a certificate signed by itself
- This is done when the CA itself wants a certificate for communication

There are 2 methods of Deployment

In-Band - Simple Certificate Enrollment Protocol (SCEP) [Travel inside a network using http]
- Step1: Request for root certificate - Client to CA
- Step2: Issue a Root certificate hashed with md5 and sha1 - CA to Client
- Step3: Client has an option whether to accept the root certificate or reject - client
- Step4: If accepeted, ACK sent to CA - Client to CA
- Step5: CA issues an identity certificate - CA to Client
Out of Band - USB, External Flash, TFTP [ Certificate never travels over the network]

Responsibility of CA

Issue Certificate
Maintenance
Validation:
- CDP: CRL (Certificate Revocation List) Distribution Point
- - The peer receiving the certificate checks with the CDP list to see if the certificate is revoked
  - The problem with this method that clients tend to use the already downloaded CDP list instead of downloading the list for every request
  - If a revoked certificate is received before the peer downloads the CDP list, then it might process it as a valid certificate
- OCSP: Online Certificate Status Protocol
- - This was created to overcome the problem with CDP
  - In this, when a peer receives a certificate it sends a request with the serial number of the certificate to the OCSP server
  - The OCSP server just responds whether the serial number of the presented certificate is good or bad or unknown.

pkifullconfig.pdf

Configuration Steps on IOS:

Synchronize the clocks (NTP - You could also use manual time set)
- (config)# clock set 13:51:00 28 January 2013 // Manual - You could also use NTP
Enable HTTP
- (config)#ip http server
Generate RSA key pair
- (config)#crypto key generate rsa modulus 1024
CA Server configuration
- (config)#crypto pki server IOS_CA
- - (cs-server)# issuer_name CN=cisco_ca OU=Cisco L=Bangalore S=Karnataka C=India
  - (cs-server)# lifetime ca_certificate 3
  - (cs-server)# lifetime certificate 2
  - (cs-server)# grant auto
  - (cs-server)# database level minimum [DEFAULT]
  - (cs-server)# database URL flash: [DEFAULT: nvram]
  - (cs-server)# no shutdown // It will ask for a password to initialize the server
  - - Password: <_____________>

IN Client

Define a trust point in the client
- (config)# crypto pki trustpoint IOSCA // OR you can use: (config)# crypto ca trustpoint IOSCA
- - (ca-trustpoint)# enrollment url http://10.1.1.1
  - (ca-trustpoint)# revocation check none
Authenticate the CA
- (config)# crypto pki authenticate IOSCA
Enroll
- (config)# crypto pki enroll IOSCA
- - Password: <__________>
  - Confirim-Password: <______>
  - Include Router Serial in Subject: Y/N
  - Include IP in Subject: Y/N
  - Enter Interface IP:
  - Request Certificate from CA: Y/N

Network Time Protocol (NTP)

It works on UDP 123
It supports authentication using MD5
It was derived from algorithm called Marzerllo
It uses Stratum Number <1-15>: Logical Distance towards your NTP server

Configuration on Server:

(config)# ntp master <stratum number>
- NTP learns the time by syncing with its internal software clock at the address 127.127.7.1 loopback
(config)# ntp authentication-key 1 md5 cisco
(config)# ntp trust-key 1
(config)# ntp authenticate // To enable Authentication

Configuration on Client:

(config)# ntp server 10.1.1.1
(config)# ntp authentication-key 1 md5 cisco
(config)# ntp trust-key 1
(config)# ntp authenticate

IOS L2L using CA

R1: NTP+CA server //NTP optional

clock set HH:MM:SS day month year

clock timezone IST 5 30 //optional

ntp master 1 //NTP STRATUM no. lower number will be preferred

ntp authenticate //optional for security

ntp trusted-key 1

ntp authentication-key 1 md5 cisco

ip domain-name cisco.com

crypto key generate rsa modulus 1024 //to generate private KEY

crypto pki server IOSCA //pki - public key infrastructure

issuer-name CN=IOSCA.cisco.com L=Bangalore C=India //x.509 format

grant auto //if client request server provides cert automatically

lifetime certificate 2 //validity for client certificates

lifetime ca-certificate 1 //validity for self-signed server certificates

cdp-url http://10.1.1.1 //ip address for client to request

database url flash:// //to store certificates

no shutdown //to activate pki server

Password:cisco123

Re-enter password: cisco123

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

% Exporting Certificate Server signing certificate and keys...

% Certificate Server enabled.

ip http server

Dec 2 10:42:03.895: %PKI-6-CS_ENABLED: Certificate server now enabled.

Verification:

show ntp status

In R2:

clock timezone IST 5 30

ntp trusted-key 1

ntp authentication-key 1 md5 cisco

ntp server 10.1.1.1

ip domain-name cisco.com

crypto key generate rsa modulus 1024

The name for the keys will be: IPsecPeer1.cisco.com

crypto pki trustpoint MyCA

enrollment url http://10.1.1.1:80 //SCEP uses http to carry certificates

revocation-check crl none or http://.......

crypto pki authenticate MyCA

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

crypto pki enroll MyCA

Password:ciscoabc

Re-enter password: ciscoabc

% The subject name in the certificate will include: IPsecPeer1.cisco.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

In R3

clock timezone IST 5 30

ntp trusted-key 1

ntp authentication-key 1 md5 cisco

ntp server 10.1.1.1

ip domain-name cisco.com

crypto key generate rsa modulus 1024

The name for the keys will be: IPsecPeer1.cisco.com

crypto pki trustpoint MyCA

enrollment url http://10.1.1.1:80 //SCEP uses http to carry certificates

revocation-check crl none or http://.......

crypto pki authenticate MyCA

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.

crypto pki enroll MyCA

Password:ciscoabc

Re-enter password: ciscoabc

% The subject name in the certificate will include: IPsecPeer1.cisco.com

% Include the router serial number in the subject name? [yes/no]: no

% Include an IP address in the subject name? [no]: no

Request certificate from CA? [yes/no]: yes

Verification:

sh ntp status

Show ntp association

sh cry pki certificates

R1:

crypto isakmp policy 10

Authentication rsa-sig

hash md5

group 2

crypto ipsec transform-set TSET esp-des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.1.3

set transform-set TSET

match address 101

access-list 101 permit ip 1.0.0.0 0.0.0.255 2.0.0.0 0.0.0.255

Inter f0/0

crypto map CMAP

R2:

crypto isakmp policy 20

Authentication rsa-sig

hash md5

group 2

crypto ipsec transform-set TSET esp-des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp

set peer 10.1.1.2

set transform-set TSET

match address 101

access-list 101 permit ip 2.0.0.0 0.0.0.255 1.0.0.0 0.0.0.255

Inter f0/0

crypto map CMAP

Verification:

Show crypto isakmp sa

Show crypto isakmp sa detail

Show crypto ipsec sa

Home Work Task:

First let us synchronize the clock using NTP

At the NTP Server:

clock set 15:30:00 28 November 2013 // This is the clock that will be synchronized to all

From Config Mode

ntp authentication-key 1 md5 cisco123
ntp authenticate
ntp trusted-key 1
ntp master 1

At the CA_Server, R2 and R3:

ntp authentication-key 1 md5 cisco123
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.5 // For CA_Server
ntp server 20.1.1.5 // For R2 and R3

PLEASE NOTE: CA_Server and R2 will successfully synchronize the clock. R3 will not because ASA is blocking UDP 123 (NTP). It can be solved by:

access-list OUT_IN permit udp host 40.1.1.1 host 20.1.1.5 eq ntp
access-group OUT_IN in interface OUTSIDE

At this point our NTP syncing should be done. Now let us configure the CA Server and Client.

Configuration of PKI

Firstly, configure it to be an HTTP Server

ip http server

Then let us configure crypto:

crypto key generate rsa modulous 1024
crypto pki server IOS_CA
- issuer-name CN=ca_server OU=cisco C=India S=Karnataka L=Bangalore
- lifetime ca_certificate 3
- lifetime certificate 2
- grant auto
- database level minimum
- database url nvram:
- no shutdown

At this point, it will ask for a password. Provide a password!

crypto pki trustpoint CA_Server
- enrollment url http://10.1.1.1
- revocation check none
crypto pki authenticate CA_Server // At this point it will show you the hashes (fingerprints) and ask if you want to accept it
crypto pki enroll CA_Server // At this point, it will take you through a Yes/No questions and after you answer them, the certificates will be issued

PLEASE NOTE: At this point, R2 will receive certificate (Due to HTTP being inspected) but R3 will not get since the ASA will block http traffic. This can be overcome by:

Add to the existing access-list,

access-list OUT_IN permit tcp host 40.1.1.1 host 10.1.1.1 eq 80

At this point all certificate issuing will be complete.

VPN Configuration:

access-list 101 permit ip host 2.2.2.2 host 3.3.3.3
crypto isakmp policy 10 // we use the default value in policy
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
- set peer 40.1.1.1
- set transform-set TSET
- match address 101
int f0/0
- crypto map CMAP

We have configured the VPNs, but since the ESP (50) and UDP (500) are being blocked by ASA, we need to make the changes as follows:

At ASA using the existing access-list:

access-list OUT_IN permit esp host 40.1.1.1 host 30.1.1.1
access-list OUT_IN permit udp host 40.1.1.1 host 30.1.1.1 eq 500

WIRESHARK CAPTURED PACKETS