1.6.3 Ensure 'RSA key pair' is greater than or equal to 2048 bits

Information

Generates an RSA key pair used by SSH protocol of at least 2048 bits

Rationale:

Secure Shell (SSH) is a secure remote-login protocol. The ASA allows SSH connections to the ASA for management purposes and supports the SSH DES and 3DES ciphers. SSH uses a key-exchange method based on Rivest-Shamir-Adleman (RSA) public-key. Since RSA 1024-bit keys are likely to become crackable, it is recommended to have RSA keys of at least 2048 bits.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1: Acquire the enterprise standard RSA key size greater or equal than 2048 bits

Step 2: If the audit procedure revealed existing non-compliant key pairs, run the following to remove them:

hostname(config)#crypto key zeroize rsa

Step 3: Run the following to generate compliant RSA key pair:

hostname(config)# crypto key generate rsa modulus <enterprise_RSA_key_size>

Step 4: Run the following to save the RSA keys to persistent Flash memory

hostname(config)#write memory

See Also

https://workbench.cisecurity.org/files/3246

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|11.1

Plugin: Cisco

Control ID: f943e3e4b10527145b7bae24493673a5f90d896c6d24a9de0570e4fa5a19cf9a