1 / 46

USB Flash drives and Secure eToken

USB Flash drives and Secure eToken. Agenda. Introduction USB Feature Credential Storage with eToken: Storing the Credentials Using the Credentials Simplified Provisioning: Secure Provisioning with eToken Bootstrap Provisioning Using the USB Flash and eToken File System.

sanne
Télécharger la présentation

USB Flash drives and Secure eToken

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. USB Flash drives and Secure eToken

  2. Agenda • Introduction • USB Feature • Credential Storage with eToken: • Storing the Credentials • Using the Credentials • Simplified Provisioning: • Secure Provisioning with eToken • Bootstrap Provisioning • Using the USB Flash and eToken File System

  3. USB Port on Cisco Routers • Provides Portable Credentials storage for Virtual Private Network (VPN) RSA Key Pairs with eToken • Provides off-platform storage, generation of VPN Credentials • Encryption keys are loaded when eToken plugged in, and removed when eToken removed • Provides secure configuration storage and distribution with eToken • Easy to secure distribution of encryption keys and pre-shared keys • Provision boot-strap config into eToken, send Token to location • Router loads bootstrap config off the eToken when turned on, or merges configuration when eToken plugged into router • Provides Portable storage for images and configuration distribution via USB Flash drives, • Plug Flash into router, turn router on, router loads off bootstrap configuration, or copy configuration from Flash • Copy Cisco IOS images from and to the USB Flash File System

  4. What is USB? • USB – Universal Serial Bus. • Typically PC’s are Hosts. • Devices such as Flash drives and Secure tokens plug into Hosts. • ISR USB implementation: • Is a USB Host. • Supports USB 2.0 and USB 1.1 Devices. • Supports Low Speed (1.5 Mbps) and Full Speed (12 Mbps) Devices. • Supports FAT16 disk format, compatible with windows • Does not Support High Speed (480 Mbps). • Please note that USB 2.0 High Speed Flash drive Devices will operate at Full Speed if High Speed is not supported.

  5. USB Support on Cisco Routers • Supported in Cisco IOS Release 12.3(14)T • Supported on all routers with USB port, including: Cisco 871 router, Cisco 1800 series, Cisco 2800 series, or Cisco 3800 series routers. • 2 USB Ports on Cisco 3800 series routers, Cisco 2851, Cisco 2821, Cisco 2811, Cisco 871, Cisco 1811, Cisco 1812 routers • 1 USB Port on Cisco 2801, and Cisco 1841 routers

  6. USB Devices Support • USB eToken Support: • eToken Pro key sold by Aladdin Knowledge Systems • http://www.ealaddin.com/etoken/cisco • USB Flash Module • Hardware device sold by Cisco Systems • Flash drives are supported at Full Speed (12 Mbps) • Supports the Flash Part numbers only: • 64 MB – MEMUSB-64FT • 128 MB – MEMUSB-128FT • 256 MB – MEMUSB-256FT • Flash and USB eToken are the only USB devices supported at this time

  7. Agenda • Introduction • USB Feature • Credential Storage with eToken: • Storing the Credentials • Using the Credentials • Simplified Provisioning: • Secure Provisioning with eToken • Bootstrap Provisioning • Using the USB Flash and eToken File System

  8. Credential Storage with eToken: 1- Storing the Credentials 2- Using the Credentials

  9. 1- Storing the RSA Keypair on the eToken • Steps to store the credentials on the eToken: • Plug eToken to router • Login to the eToken using the provided PIN • Generate the keypair with the CLI • Write memory: Credentials are stored on the eToken instead of Private NVRAM • Credentials can be generated on different router • Directory & key files are hidden from IOS CLI, even when the eToken is logged in. • Logged-in eToken becomes the default key storage location for newly-created keys.

  10. eToken login options • There are two ways to login to the eToken: • Automatic: PIN is in the running-configs router(config)# crypto pki token default user-pin 0 1234567890 Any token or give a lable optional 0 2. Manual login: From CLI with or without the enable mode router# or router> crypto pki token usbtoken0: login 1234567890 Note: eToken default pin is 1234567890

  11. Without USB eToken: Steps to generate and store the Crypto Keys • Generate Keys and Enroll with the CA router(config)# crypto key gen rsa cry pki trustpoint IOSCA enrollment url http://10.23.2.2 crypto ca authenticate IOSCA crypto ca enroll IOSCA • Store the encryption keys on the eToken router# Write mem

  12. With USB eToken: Steps to generate and store the Crypto Keys 1. Plug in the eToken 2. Login to the eToken Router# crypto pki token usbtoken0: login 1234567890 3. Generate Keys and Enroll with the CA router(config)# crypto key gen rsa cry pki trustpoint IOSCA enrollment url http://10.23.2.2 crypto ca authenticate IOSCA crypto ca enroll IOSCA 4. Store the encryption keys on the eToken router# Write mem

  13. Step 1: Generate the RSA Keys • This router begins with no keys c2851-27#show crypto key mypubkey rsa c2851-27#show crypto ca certificates c2851-27#conf t Enter configuration commands, one per line. End with CNTL/Z. c2851-27(config)# c2851-27(config)#cry key gen rsa The name for the keys will be: c2851-27.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys ...[OK] c2851-27(config)# *Jan 13 06:46:26.633: %SSH-5-ENABLED: SSH 1.99 has been enabled

  14. Step 2: Enrolling with the CA • The write mem is defaulted to store the key on the eToken c2851-27(config)#cry pki trustpoint IOSCA c2851-27(ca-trustpoint)#enrollment url http://10.23.2.2 c2851-27(ca-trustpoint)#exit c2851-27(config)#crypto ca authenticate IOSCA Certificate has the following attributes: Fingerprint MD5: 23272BD4 37E3D9A4 236F7E1A F534444E Fingerprint SHA1: D1B4D9F8 D603249A 793B3CAF 8342E1FE 3934EB7A % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. c2851-27(config)#cry ca en c2851-27(config)#cry ca enroll IOSCA % % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:

  15. Step 3: Storing the Keys to the eToken • write mem will store the keys to the eToken automatically Re-enter password: % The subject name in the certificate will include: c2851-27.cisco.com % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]: no Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto ca certificate IOSCA verbose' commandwill show the fingerprin t. c2851-27(config)# *Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint MD5: E6DDAB1B 0E30EFE6 54529D8A DA787DBA *Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 3B0F33B 7 57C02A10 3935042B C4B6CD3D 61039251 *Jan 13 06:47:21.021: %PKI-6-CERTRET: Certificate received from Certificate Auth Ority c2851-27(config)#do write mem Building configuration... [OK] c2851-27(config)# *Jan 13 06:47:29.481: %CRYPTO-6-TOKENSTOREKEY: Key c2851-27.cisco.com stored on Cryptographic Token eToken Successfully

  16. 2- Using the Stored Credentials • User Experience with eToken: • User Plugs in the eToken • Login to eToken: Automatic or from CLI • Router initiates the VPN Tunnel using the stored credentials • User is connected to VPN • User removes the eToken • Router tears down the VPN tunnel after timeout Headend Internet

  17. Token removal timeout • The crypto keys uses the default ISAKMP timeout to re-key the credentials • Use the following command change the timeout after removing the eToken, • The following tears down the VPN tunnel after 10 seconds from removing the eToken router(config)# crypto pki token usbtoken0 removal timeout 10

  18. eToken and IPSec Configuration • eToken effect ISAKMP during negotiations • eToken credentials storage works with any IPSec configurations using PKI (i.e. IPSec, IPSec with GRE, DMVPN) • This example uses the following configurations crypto isakmp policy 1 ! crypto ipsec transform-set test_transformset esp-3des ! crypto map test_cryptomap 10 ipsec-isakmp set peer 10.23.2.3 set transform-set test_transformset match address 170 ! interface GigabitEthernet0/0 crypto map test_cryptomap ! access-list 170 permit ip host 1.1.1.1 host 3.3.3.3

  19. Display the eToken File System • The write mem is defaulted to store the key on the eToken when the eToken is plugged in • After write memory, the directory /keystore is created, and the key are stored hidden in the directory c2851-27#dir usbtoken0: Directory of usbtoken0:/ 2 d--- 64 Jan 13 2005 05:07:42 +00:00 1000 5 d--- 2600 Jan 13 2005 05:07:42 +00:00 1001 8 d--- 0 Jan 13 2005 05:07:42 +00:00 1002 10 d--- 512 Jan 13 2005 05:07:42 +00:00 1003 12 d--- 0 Jan 13 2005 05:07:44 +00:00 5000 13 d--- 0 Jan 13 2005 05:07:44 +00:00 6000 14 d--- 0 Jan 13 2005 05:07:44 +00:00 7000 15 d--- 0 Jan 06 2005 23:57:44 +00:00 keystore 32768 bytes total (15741 bytes free) • Notice the bytes free decreases after the keys are stored

  20. Display the Credentials • The following show command displays the key read on the eToken • When the eToken is unplugged, the keys will be removed and the VPN is torn down c2851-27#show crypto key mypubkey rsa % Key pair was generated at: 06:37:26 UTC Jan 13 2005 Key name: c2851-27.cisco.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E3C644 43AA7DDD 732E0F4E 3CA0CDAB 387ABF05 EB8F22F2 2431F1AE 5D51FEE3 FCDEA934 7FBD3603 7C977854 B8E999BF 7FC93021 7F46ABF8 A4BA2ED6 172D3D09 B5020301 0001 % Key pair was generated at: 06:37:27 UTC Jan 13 2005 Key name: c2851-27.cisco.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD96AE 4BF912EB 2C261922 4784EF98 2E70E837 774B3778 7F7AEB2D 87F5669B BF5DDFBC F0D521A5 56AB8FDC 9911968E DE347FB0 A514A856 B30EAFF4 D1F453E1 003CFE65 0CCC6DC7 21FBE3AC 2F8DEA16 126754BC 1433DEF9 53266D33 E7338C95 BB020301 0001

  21. Removing the eToken • Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel c2851-27# *Jan 13 07:01:45.689: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device ha s been removed from port 0. *Jan 13 07:01:45.801: %USB_TOKEN_FILESYS-6-USB_TOKEN_REMOVED: USB Token device r emoved: usbtoken0. *Jan 13 07:01:45.801: %CRYPTO-6-TOKENREMOVED: Cryptographic token eToken removed from usbtoken0 *Jan 13 07:01:45.801: %CRYPTO-4-TOKENKEYTIMEOUT: RSA keypairs for token eToken a nd associated IPSEC sessions will be deactivated in 1 seconds *Jan 13 07:01:46.801: %CRYPTO-4-TOKENKEYSDEACTIVATED: RSA keypairs from token eT oken and associated IPSEC sessions being deactivated now *Jan 13 07:01:46.801: %SSH-5-DISABLED: SSH 1.99 has been disabled c2851-27#show crypto key mypubkey rsa c2851-27#

  22. Removing the credentials from the eToken • Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel • Plug in the eToken first, then use the following commands to remove the RSA Key pair router(config)# cryto key zeroize rsa no crypto pki trustpoint IOSCA c2851-27#show crypto key mypubkey rsa c2851-27#

  23. Agenda • Introduction • USB Feature • Credential Storage with eToken: • Storing the Credentials • Using the Credentials • Simplified Provisioning: • Secure Provisioning with eToken • Bootstrap Provisioning • Using the USB Flash and eToken File System

  24. Simplified Provisioning:1- Secure Provisioning with eToken2- Bootstrap Provisioning

  25. 1- Secure Provisioning with eToken • eToken can be used to store and secure a secondary configuration file • This config file is processed after login to eToken • Can setup tunnels, etc. using token keys • Configuration File is protected by the Secure token • Merged with running configuration • Only one secondary config can be configured • Merged configs can be manually saved by “write mem” router(config)# crypto pki token default secondary config CONFIG1.CFG

  26. Config file format • Text file stored on the eToken • Can Contain the complete router configuration or a subset VPN tunnel configuration • Merged with running configuration • Config file should have the “end” statement at the last line, else the config is applied but a following error is logged c2851-27# *Jan 13 18:06:54.594: %PARSER-4-BADCFG: Unexpected end of configuration file. c2851-27#

  27. 2- Boot Strap Provisioning • Boot strap configuration from the USB Flash or eToken • Booting images from usbflash is not supported in 12.3(14)T • Use the following command to configure bootstrap from USB device Router(config)# boot config usbtoken0:CONFIG1.CFG Or Router(config)# boot config usbflash0:CONFIG1.CFG

  28. Agenda • Introduction • USB Feature • Credential Storage with eToken: • Storing the Credentials • Using the Credentials • Simplified Provisioning: • Secure Provisioning with eToken • Bootstrap Provisioning • Using the USB Flash and eToken File

  29. Using the USB Flash and eToken File System

  30. USB eToken and USB Flash Comparison

  31. USB eToken and USB Flash Comparison (2)

  32. Managing the USB File System • List of files • Change directory • Format • Copy a file • Copy image to USB Flash • Delete a file • Other show usb commands • Plug in the USB Flash • eToken Specific commands • Plug in the eToken • Login and Logout the eToken • Troubleshooting eToken Login

  33. List all files on the Drive • Displays the USB Drive contents • Use dir or Show command to display the content router# dir usbtoken0: Or router# dir usbflash0: c2851-27#dir usbtoken0: Directory of usbtoken0:/ 2 d--- 64 Jan 13 2005 05:19:26 +00:00 1000 5 d--- 2600 Jan 13 2005 05:19:26 +00:00 1001 8 d--- 0 Jan 13 2005 05:19:26 +00:00 1002 10 d--- 512 Jan 13 2005 05:19:26 +00:00 1003 12 d--- 0 Jan 13 2005 05:19:26 +00:00 5000 13 d--- 0 Jan 13 2005 05:19:28 +00:00 6000 14 d--- 0 Jan 13 2005 05:19:28 +00:00 7000 32768 bytes total (27385 bytes free)

  34. Change directory • Change the directory on the USB Drive router# cd usbtoken0:/1000 Or router# cd usbflash0:/1000 c2851-27#cd usbtoken0:/1000 c2851-27#dir Directory of usbtoken0:/1000/ 3 ---- 11 Jan 13 2005 06:28:04 +00:00 1 4 ---- 32 Jan 13 2005 06:28:04 +00:00 2 32768 bytes total (27385 bytes free)

  35. Format the Drive • USB Drive will be formatted router# format usbtoken0: Or router# format usbflash0: c2851-27#format usbtoken0: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "usbtoken0:". Continue? [confirm] Reclaiming all space...... Initializing devices...... Format of usbtoken0 complete

  36. Copy files • Copies the running config to the eToken router# copy running-config usbtoken0: Or router# copy running-config usbflash0: c2851-27#copy running-config ? archive: Copy to archive: file system flash: Copy to flash: file system ftp: Copy to ftp: file system http: Copy to http: file system https: Copy to https: file system ips-sdf Update (merge with) IPS signature configuration null: Copy to null: file system nvram: Copy to nvram: file system rcp: Copy to rcp: file system running-config Update (merge with) current system configuration scp: Copy to scp: file system startup-config Copy to startup configuration system: Copy to system: file system tftp: Copy to tftp: file system usbflash1: Copy to usbflash1: file system usbtoken0: Copy to usbtoken0: file system xmodem: Copy to xmodem: file system ymodem: Copy to ymodem: file system

  37. Copy image from flash: to usbflash0: • Copy an image from flash to usbflash0: router# router#copy flash:c1841-advsecurityk9-mz.123-14T usbflash0: Destination filename [c1841-advsecurityk9-mz.123-14T]? Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC 17523748 bytes copied in 58.544 secs (299326 bytes/sec)

  38. Delete a File • Deleting a file from the USB file system router# delete usbtoken0:running-config Or router# delete usbflash0:running-config c2851-27#delete usbtoken0:running-config Delete filename [running-config]? Delete usbtoken0:running-config? [confirm] c2851-27#

  39. Other USB commands The following are addition USB commands • Show usb controller • Show usb device • Show usb driver

  40. Plug in the USB Flash router# router# *Feb 2 19:21:53.531: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB d evice has been inserted in port 0. *Feb 2 19:21:54.171: %USBFLASH-5-CHANGE: usbflash0 has been inserted! Unplugging the USB Flash Router# *Feb 2 19:29:26.595: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device ha s been removed from port 0. *Feb 2 19:29:26.699: %USBFLASH-5-CHANGE: usbflash0 has been removed!

  41. eToken Specific commands

  42. Plug in the eToken router# Plug in the eToken, with user pin is stored in the running-config c2851-27# *Jan 13 05:17:20.001: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Low speed USB de vice has been inserted in port 0. *Jan 13 05:17:21.497: %USB_TOKEN_FILESYS-6-USB_TOKEN_INSERTED: USB Token device inserted: usbtoken0. *Jan 13 05:17:21.501: %USB_TOKEN_FILESYS-6-REGISTERING_WITH_IFS: Registering USB Token File System usbtoken0: might take a while... *Jan 13 05:17:21.841: %CRYPTO-6-TOKENINSERTED: Cryptographic token eToken insert ed in usbtoken0 *Jan 13 05:17:22.053: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Suc cessful *Jan 13 05:17:25.401: %USB_TOKEN_FILESYS-6-REGISTERED_WITH_IFS: USB Token File S ystem usbtoken0 is registered...

  43. Login and logout to the eToken router# crypto pki token usbtoken0: login 1234567890 • Login to the eToken c2851-27#crypt pki token usbtoken0: login 1234567890 Token eToken is usbtoken0 Token login to usbtoken0(eToken) successful *Jan 13 05:26:46.385: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Suc cessful router# crypto pki token usbtoken0: logout • Logout from the eToken crypto pki token usbtoken0: logout Token eToken is usbtoken0 Token logout from usbtoken0(eToken) successful *Jan 28 05:46:59.544: %CRYPTO-6-TOKENLOGOUT: Cryptographic Token eToken Logout S uccessful

  44. Troubleshooting Login failure • Successful login c2851-27#crypto pki token usbtoken0: login 1234567890 Token eToken is usbtoken0 Token login to usbtoken0(eToken) successfulA pre-shared key for address mask 10. 23.2.3 255.255.255.255 already exists! c2851-27# *Jan 13 18:44:44.038: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Suc cessful c2851-27# • Failed login with wrong pin c2851-27#crypto pki token usbtoken0: login 1234567891 Token eToken is usbtoken0 Token login to usbtoken0(eToken) failed c2851-27# *Jan 13 18:44:50.558: %CRYPTO-3-TOKENLOGINFAILED: Cryptographic Token eToken Log in FAILED

  45. Summary • Credential Storage with eToken: • Storing the Credentials • Using the Credentials • Simplified Provisioning: • Secure Provisioning with eToken • Bootstrap Provisioning • Using the USB Flash and eToken File System

More Related