Addition(s) to LCOS 9.00
Parent topic: Addition(s) to LCOS 9.00

Elliptic curve cryptography (ECC)

As of LCOS9.00 you can generate ECDSA keys on a device in addition to the RSA and DSA keys.

SSH key generation with LCOS

To generate a key pair consisting of a public and a private key, you enter the following command at the console:
sshkeygen [-?|-h] [-t (dsa|rsa|ecdsa)] [-b <Bits>] -f <OutputFile> [-q]
-?, -h
Displays a brief help text about the available parameters
-t (dsa|rsa|ecdsa)
This parameter specifies what type of key is generated. SSH supports the following types of keys:
  • RSA keys are most widely used and have a length between 512 and 16384 bits. If possible you should work with keys of 1024 to 2048 bits in length.
  • DSA keys follow the Digital Signature Standard (DSS) set down by the National Institute of Standards and Technology (NIST) and are typically used in environments which are required to comply with the Federal Information Processing Standard (FIPS). DSA and DSS keys are always 1024 bits long, but they are slower to process than a corresponding RSA key.
  • ECDSA keys are a variant of DSA keys, whereby the device uses elliptic curves for key generation (elliptic curve cryptography, ECC). ECC is an alternative to the conventional signature and key exchange techniques such as RSA and Diffie-Hellman. The main advantage of elliptic curves is that their mathematical properties offer the same key strength as RSA or Diffie-Hellman but with a significantly shorter key length. This provides for better hardware performance. ECC and its integration in SSL and TLS are described in RFCs 5656 and 4492.
If no type is specified, the command generates an RSA key by default.
-b <bits>
This parameter sets the length of the RSA key in bits. If you do not specify a length, the command produces a key with a length of 1024 bits by default.
-f <OutputFile>
These parameters specify the mounting point of the generated key file in the device file system. The choice of mounting point depends on what type key you are generating. The choices available to you are:
  • ssh_rsakey for RSA keys
  • ssh_dsakey for DSA keys
  • ssh_ecdsakey for ECDSA keys
-q
This parameter enables the 'quiet' mode for the key generation. If you set this parameter, LCOS overwrites any existing RSA or DSA keys without asking; there is no information about the progress of the operation. You can, for example, use this parameter in a script to suppress any security prompts for the users.
Parent topic: Addition(s) to LCOS 9.00
© LANCOM Systems. All rights reserved.