1 © 2004 cisco systems, inc. all rights reserved. ca training usb flash drives and secure etoken

1© 2004 Cisco Systems, Inc. All rights reserved.CA Training

USB Flash drives and Secure eToken

222© 2005 Cisco Systems, Inc. All rights reserved.

Introduction

USB Feature

Credential Storage with eToken:

1.Storing the Credentials

2.Using the Credentials

Simplified Provisioning:

1.Secure Provisioning with eToken

2.Bootstrap Provisioning

Using the USB Flash and eToken File System

Agenda


• Provides Portable Credentials storage for Virtual Private Network (VPN) RSA Key Pairs with eToken

• Provides off-platform storage, generation of VPN Credentials

• Encryption keys are loaded when eToken plugged in, and removed when eToken removed

• Provides secure configuration storage and distribution with eToken

• Easy to secure distribution of encryption keys and pre-shared keys

• Provision boot-strap config into eToken, send Token to location

• Router loads bootstrap config off the eToken when turned on, or merges configuration when eToken plugged into router

• Provides Portable storage for images and configuration distribution via USB Flash drives,

• Plug Flash into router, turn router on, router loads off bootstrap configuration, or copy configuration from Flash

• Copy Cisco IOS images from and to the USB Flash File System

USB Port on Cisco Routers


What is USB?

• USB – Universal Serial Bus.Typically PC’s are Hosts.

Devices such as Flash drives and Secure tokens plug into Hosts.

• ISR USB implementation:– Is a USB Host.– Supports USB 2.0 and USB 1.1 Devices.– Supports Low Speed (1.5 Mbps) and Full Speed (12 Mbps)

Devices.– Supports FAT16 disk format, compatible with windows

– Does not Support High Speed (480 Mbps). Please note that USB 2.0 High Speed Flash drive Devices will operate at Full Speed if High Speed is not supported.


USB Support on Cisco Routers

• Supported in Cisco IOS Release 12.3(14)T

• Supported on all routers with USB port, including: Cisco 871 router, Cisco 1800 series, Cisco 2800 series, or Cisco 3800 series routers.

• 2 USB Ports on Cisco 3800 series routers, Cisco 2851, Cisco 2821, Cisco 2811, Cisco 871, Cisco 1811, Cisco 1812 routers

• 1 USB Port on Cisco 2801, and Cisco 1841 routers


USB Devices Support

• USB eToken Support:

eToken Pro key sold by Aladdin Knowledge Systems

http://www.ealaddin.com/etoken/cisco

• USB Flash Module

Hardware device sold by Cisco Systems

Flash drives are supported at Full Speed (12 Mbps)

Supports the Flash Part numbers only:

•64 MB – MEMUSB-64FT



• Flash and USB eToken are the only USB devices supported at this time




Introduction

USB Feature








Agenda



1- Storing the Credentials

2- Using the Credentials


1- Storing the RSA Keypair on the eToken

• Steps to store the credentials on the eToken:1. Plug eToken to router

2. Login to the eToken using the provided PIN

3. Generate the keypair with the CLI

4. Write memory: Credentials are stored on the eToken instead of Private NVRAM

• Credentials can be generated on different router

• Directory & key files are hidden from IOS CLI, even when the eToken is logged in.

• Logged-in eToken becomes the default key storage location for newly-created keys.


eToken login options

crypto pki token default user-pin 0 1234567890Any token or give a lable optional 0 crypto pki token default user-pin 0 1234567890Any token or give a lable optional 0

router(config)#

There are two ways to login to the eToken:1. Automatic: PIN is in the running-configs

2. Manual login: From CLI with or without the enable mode

crypto pki token usbtoken0: login 1234567890crypto pki token usbtoken0: login 1234567890

router# or router>

Note: eToken default pin is 1234567890


Without USB eToken: Steps to generate and store the Crypto Keys

crypto key gen rsacry pki trustpoint IOSCA enrollment url http://10.23.2.2crypto ca authenticate IOSCAcrypto ca enroll IOSCA


router(config)#

Write memWrite mem

router#

• Store the encryption keys on the eToken

• Generate Keys and Enroll with the CA


With USB eToken: Steps to generate and store the Crypto Keys



router(config)#

1. Plug in the eToken

Write memWrite mem

router#4. Store the encryption keys on the eToken

3. Generate Keys and Enroll with the CA

crypto pki token usbtoken0: login 1234567890crypto pki token usbtoken0: login 1234567890

Router#2. Login to the eToken


•This router begins with no keys

c2851-27#show crypto key mypubkey rsa

c2851-27#show crypto ca certificates

c2851-27#conf tEnter configuration commands, one per line. End with CNTL/Z.c2851-27(config)#c2851-27(config)#cry key gen rsaThe name for the keys will be: c2851-27.cisco.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]

c2851-27(config)#*Jan 13 06:46:26.633: %SSH-5-ENABLED: SSH 1.99 has been enabled

Step 1: Generate the RSA Keys


•The write mem is defaulted to store the key on the eToken

c2851-27(config)#cry pki trustpoint IOSCAc2851-27(ca-trustpoint)#enrollment url http://10.23.2.2c2851-27(ca-trustpoint)#exitc2851-27(config)#crypto ca authenticate IOSCACertificate has the following attributes: Fingerprint MD5: 23272BD4 37E3D9A4 236F7E1A F534444E Fingerprint SHA1: D1B4D9F8 D603249A 793B3CAF 8342E1FE 3934EB7A

% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.c2851-27(config)#cry ca enc2851-27(config)#cry ca enroll IOSCA%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it.

Password:

Step 2: Enrolling with the CA


•write mem will store the keys to the eToken automatically

Re-enter password:

% The subject name in the certificate will include: c2851-27.cisco.com% Include the router serial number in the subject name? [yes/no]: no% Include an IP address in the subject name? [no]: noRequest certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority% The 'show crypto ca certificate IOSCA verbose' commandwill show the fingerprint.

c2851-27(config)#*Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint MD5: E6DDAB1B 0E30EFE6 54529D8A DA787DBA*Jan 13 06:47:19.413: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 3B0F33B7 57C02A10 3935042B C4B6CD3D 61039251*Jan 13 06:47:21.021: %PKI-6-CERTRET: Certificate received from Certificate AuthOrityc2851-27(config)#do write memBuilding configuration...[OK]c2851-27(config)#*Jan 13 06:47:29.481: %CRYPTO-6-TOKENSTOREKEY: Key c2851-27.cisco.com stored onCryptographic Token eToken Successfully

Step 3: Storing the Keys to the eToken


Internet

2- Using the Stored Credentials

User Experience with eToken:

1. User Plugs in the eToken

2. Login to eToken: Automatic or from CLI

3. Router initiates the VPN Tunnel using the stored credentials

4. User is connected to VPN

5. User removes the eToken

6. Router tears down the VPN tunnel after timeout

Headend


Token removal timeout

crypto pki token usbtoken0 removal timeout 10crypto pki token usbtoken0 removal timeout 10

router(config)#

• The crypto keys uses the default ISAKMP timeout to re-key the credentials

• Use the following command change the timeout after removing the eToken,

• The following tears down the VPN tunnel after 10 seconds from removing the eToken


eToken and IPSec Configuration

• eToken effect ISAKMP during negotiations

• eToken credentials storage works with any IPSec configurations using PKI (i.e. IPSec, IPSec with GRE, DMVPN)

• This example uses the following configurations

crypto isakmp policy 1!crypto ipsec transform-set test_transformset esp-3des!crypto map test_cryptomap 10 ipsec-isakmp set peer 10.23.2.3 set transform-set test_transformset match address 170!interface GigabitEthernet0/0crypto map test_cryptomap!access-list 170 permit ip host 1.1.1.1 host 3.3.3.3


•The write mem is defaulted to store the key on the eToken when the eToken is plugged in•After write memory, the directory /keystore is created, and the key are stored hidden in the directory

c2851-27#dir usbtoken0:Directory of usbtoken0:/

2 d--- 64 Jan 13 2005 05:07:42 +00:00 1000 5 d--- 2600 Jan 13 2005 05:07:42 +00:00 1001 8 d--- 0 Jan 13 2005 05:07:42 +00:00 1002 10 d--- 512 Jan 13 2005 05:07:42 +00:00 1003 12 d--- 0 Jan 13 2005 05:07:44 +00:00 5000 13 d--- 0 Jan 13 2005 05:07:44 +00:00 6000 14 d--- 0 Jan 13 2005 05:07:44 +00:00 7000 15 d--- 0 Jan 06 2005 23:57:44 +00:00 keystore

32768 bytes total (15741 bytes free)

Display the eToken File System

•Notice the bytes free decreases after the keys are stored


•The following show command displays the key read on the eToken•When the eToken is unplugged, the keys will be removed and the VPN is torn down

c2851-27#show crypto key mypubkey rsa% Key pair was generated at: 06:37:26 UTC Jan 13 2005Key name: c2851-27.cisco.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E3C644 43AA7DDD 732E0F4E 3CA0CDAB 387ABF05 EB8F22F2 2431F1AE 5D51FEE3 FCDEA934 7FBD3603 7C977854 B8E999BF 7FC93021 7F46ABF8 A4BA2ED6 172D3D09 B5020301 0001% Key pair was generated at: 06:37:27 UTC Jan 13 2005Key name: c2851-27.cisco.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00DD96AE 4BF912EB 2C261922 4784EF98 2E70E837 774B3778 7F7AEB2D 87F5669B BF5DDFBC F0D521A5 56AB8FDC 9911968E DE347FB0 A514A856 B30EAFF4 D1F453E1 003CFE65 0CCC6DC7 21FBE3AC 2F8DEA16 126754BC 1433DEF9 53266D33 E7338C95 BB020301 0001

Display the Credentials


•Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel

c2851-27#*Jan 13 07:01:45.689: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device has been removed from port 0.*Jan 13 07:01:45.801: %USB_TOKEN_FILESYS-6-USB_TOKEN_REMOVED: USB Token device removed: usbtoken0.*Jan 13 07:01:45.801: %CRYPTO-6-TOKENREMOVED: Cryptographic token eToken removed from usbtoken0*Jan 13 07:01:45.801: %CRYPTO-4-TOKENKEYTIMEOUT: RSA keypairs for token eToken and associated IPSEC sessions will be deactivated in 1 seconds*Jan 13 07:01:46.801: %CRYPTO-4-TOKENKEYSDEACTIVATED: RSA keypairs from token eToken and associated IPSEC sessions being deactivated now*Jan 13 07:01:46.801: %SSH-5-DISABLED: SSH 1.99 has been disabledc2851-27#show crypto key mypubkey rsa

c2851-27#

Removing the eToken


•Removing the eToken, will cause the router to remove the crypto keys and time out the vpn tunnel•Plug in the eToken first, then use the following commands to remove the RSA Key pair

Removing the credentials from the eToken

cryto key zeroize rsano crypto pki trustpoint IOSCAcryto key zeroize rsano crypto pki trustpoint IOSCA

router(config)#

c2851-27#show crypto key mypubkey rsa

c2851-27#


Introduction

USB Feature








Agenda



1- Secure Provisioning with eToken

2- Bootstrap Provisioning


1- Secure Provisioning with eToken

crypto pki token default secondary config CONFIG1.CFGcrypto pki token default secondary config CONFIG1.CFG

router(config)#

• eToken can be used to store and secure a secondary configuration file

• This config file is processed after login to eToken• Can setup tunnels, etc. using token keys• Configuration File is protected by the Secure token• Merged with running configuration• Only one secondary config can be configured• Merged configs can be manually saved by “write

mem”


•Text file stored on the eToken•Can Contain the complete router configuration or a subset VPN tunnel configuration•Merged with running configuration•Config file should have the “end” statement at the last line, else the config is applied but a following error is logged

c2851-27#*Jan 13 18:06:54.594: %PARSER-4-BADCFG: Unexpected end of configuration file.

c2851-27#

Config file format


2- Boot Strap Provisioning

•Boot strap configuration from the USB Flash or eToken•Booting images from usbflash is not supported in 12.3(14)T•Use the following command to configure bootstrap from USB device

Router(config)# boot config usbtoken0:CONFIG1.CFG

Or

Router(config)# boot config usbflash0:CONFIG1.CFG


Introduction

USB Feature







Using the USB Flash and eToken File

Agenda


USB eToken and USB Flash Comparison

USB eToken USB Flash

Accessibility Used to securely store and transfer digital certificates and router configurations from the eToken to the router

Used to store and deploy router configurations and images from the USB Flash to the router.

Storage size 32KB 64MB, 128MB, 256MB

Files types •Typically used to store bootstrap data, digital certificates and configurations for Firewalls and IPSec VPNs

•eTokens cannot store Cisco IOS images

Stores an file type that might be stored on a compact flash


USB eToken and USB Flash Comparison (2)

USB eToken USB Flash

Security •Files can encrypted and accessed only with a user PIN

•Files can also be stored in a non-secure format

Files can only be stored in a non-secure format

Boot Images and Configurations

Configuration can be booted from the eToken to the router.

• Secondary configuration can be booted from the eToken to the router. Secondary configuration allows users to load their IPSec configuration.

Configuration file is automatically transferred from the USB Flash to the router.


List of files

Change directory

Format

Copy a file

Copy image to USB Flash

Delete a file

Other show usb commands

Plug in the USB Flash

eToken Specific commands

•Plug in the eToken

•Login and Logout the eToken

•Troubleshooting eToken Login

Managing the USB File System


•Displays the USB Drive contentsUse dir or Show command to display the content

router# dir usbtoken0:

Or

router# dir usbflash0:

c2851-27#dir usbtoken0:Directory of usbtoken0:/

2 d--- 64 Jan 13 2005 05:19:26 +00:00 1000 5 d--- 2600 Jan 13 2005 05:19:26 +00:00 1001 8 d--- 0 Jan 13 2005 05:19:26 +00:00 1002 10 d--- 512 Jan 13 2005 05:19:26 +00:00 1003 12 d--- 0 Jan 13 2005 05:19:26 +00:00 5000 13 d--- 0 Jan 13 2005 05:19:28 +00:00 6000 14 d--- 0 Jan 13 2005 05:19:28 +00:00 7000


List all files on the Drive


•Change the directory on the USB Drive

router# cd usbtoken0:/1000

Or

router# cd usbflash0:/1000

c2851-27#cd usbtoken0:/1000c2851-27#dirDirectory of usbtoken0:/1000/

3 ---- 11 Jan 13 2005 06:28:04 +00:00 1 4 ---- 32 Jan 13 2005 06:28:04 +00:00 2


Change directory


• USB Drive will be formatted

router# format usbtoken0:

Or

router# format usbflash0:

c2851-27#format usbtoken0:Format operation may take a while. Continue? [confirm]Format operation will destroy all data in "usbtoken0:". Continue? [confirm]Reclaiming all space......Initializing devices......

Format of usbtoken0 complete

Format the Drive


•Copies the running config to the eTokenrouter# copy running-config usbtoken0:

Or

router# copy running-config usbflash0:c2851-27#copy running-config ? archive: Copy to archive: file system flash: Copy to flash: file system ftp: Copy to ftp: file system http: Copy to http: file system https: Copy to https: file system ips-sdf Update (merge with) IPS signature configuration null: Copy to null: file system nvram: Copy to nvram: file system rcp: Copy to rcp: file system running-config Update (merge with) current system configuration scp: Copy to scp: file system startup-config Copy to startup configuration system: Copy to system: file system tftp: Copy to tftp: file system usbflash1: Copy to usbflash1: file system usbtoken0: Copy to usbtoken0: file system xmodem: Copy to xmodem: file system ymodem: Copy to ymodem: file system

Copy files


•Copy an image from flash to usbflash0:

router#

router#copy flash:c1841-advsecurityk9-mz.123-14T usbflash0:Destination filename [c1841-advsecurityk9-mz.123-14T]?Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC17523748 bytes copied in 58.544 secs (299326 bytes/sec)

Copy image from flash: to usbflash0:


•Deleting a file from the USB file system

router# delete usbtoken0:running-config

Or

router# delete usbflash0:running-config

c2851-27#delete usbtoken0:running-configDelete filename [running-config]?Delete usbtoken0:running-config? [confirm]c2851-27#

Delete a File


The following are addition USB commands

•Show usb controller•Show usb device•Show usb driver

Other USB commands


router#

router#*Feb 2 19:21:53.531: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Full speed USB device has been inserted in port 0.*Feb 2 19:21:54.171: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

Plug in the USB Flash

Router#*Feb 2 19:29:26.595: %USB_HOST_STACK-6-USB_DEVICE_DISCONNECTED: A USB device has been removed from port 0.*Feb 2 19:29:26.699: %USBFLASH-5-CHANGE: usbflash0 has been removed!

Unplugging the USB Flash


eToken Specific commands


Plug in the eToken, with user pin is stored in the running-configPlug in the eToken, with user pin is stored in the running-config

router#

c2851-27#*Jan 13 05:17:20.001: %USB_HOST_STACK-6-USB_DEVICE_CONNECTED: A Low speed USB device has been inserted in port 0.*Jan 13 05:17:21.497: %USB_TOKEN_FILESYS-6-USB_TOKEN_INSERTED: USB Token deviceinserted: usbtoken0.*Jan 13 05:17:21.501: %USB_TOKEN_FILESYS-6-REGISTERING_WITH_IFS: Registering USB Token File System usbtoken0: might take a while...*Jan 13 05:17:21.841: %CRYPTO-6-TOKENINSERTED: Cryptographic token eToken inserted in usbtoken0*Jan 13 05:17:22.053: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successful*Jan 13 05:17:25.401: %USB_TOKEN_FILESYS-6-REGISTERED_WITH_IFS: USB Token File System usbtoken0 is registered...

Plug in the eToken


•Login to the eToken

router# crypto pki token usbtoken0: login 1234567890

c2851-27#crypt pki token usbtoken0: login 1234567890Token eToken is usbtoken0

Token login to usbtoken0(eToken) successful*Jan 13 05:26:46.385: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successful

Login and logout to the eToken

•Logout from the eToken

router# crypto pki token usbtoken0: logout

crypto pki token usbtoken0: logoutToken eToken is usbtoken0

Token logout from usbtoken0(eToken) successful*Jan 28 05:46:59.544: %CRYPTO-6-TOKENLOGOUT: Cryptographic Token eToken Logout Successful


•Successful login

c2851-27#crypto pki token usbtoken0: login 1234567890Token eToken is usbtoken0

Token login to usbtoken0(eToken) successfulA pre-shared key for address mask 10.23.2.3 255.255.255.255 already exists!

c2851-27#*Jan 13 18:44:44.038: %CRYPTO-6-TOKENLOGIN: Cryptographic Token eToken Login Successfulc2851-27#

Troubleshooting Login failure

c2851-27#crypto pki token usbtoken0: login 1234567891Token eToken is usbtoken0

Token login to usbtoken0(eToken) failedc2851-27#*Jan 13 18:44:50.558: %CRYPTO-3-TOKENLOGINFAILED: Cryptographic Token eToken Login FAILED

•Failed login with wrong pin









Summary

1 © 2004 cisco systems, inc. all rights reserved. ca training usb flash drives and secure etoken

Documents