256 
Managing public keys 
Overview 
This chapter describes public key management for the following asymmetric key algorithms:  
•  Revest-Shamir-Adleman Algorithm (RSA). 
•  Digital Signature Algorithm (DSA). 
•  Elliptic Curve Digital Signature Algorithm (ECDSA). 
Many security applications, including SSH, SSL, and PKI, use asymmetric key algorithms to secure 
communications between two parties, as shown in Figure 80. 
Asymmetric key algorithms use two 
separate keys (one public and one private) for encryption and decryption. Symmetric key algorithms 
use only one key. 
Figure 80 Encryption and decryption 
 
 
A key owner can distribute the public key in plain text on the network but must keep the private key in 
privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the 
algorithm and the public key. 
The security applications use the asymmetric key algorithms for the following purposes: 
•  Encryption and decryption—Any public key receiver can use the public key to encrypt 
information, but only the private key owner can decrypt the information.  
• Digital signature—The key owner uses the private key to digitally sign information to be sent. 
The receiver decrypts the information with the sender's public key to verify information 
authenticity.  
RSA, DSA, and ECDSA can all perform digital signature, but only RSA can perform encryption and 
decryption. 
Asymmetric key algorithms enable secure key distribution on an insecure network. The security 
strength of an asymmetric key varies by the key modulus length as with any symmetric key 
algorithm.  
FIPS compliance 
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for 
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and 
non-FIPS mode.  
Creating a local key pair 
When you create a local key pair, follow these guidelines: 
•  The key algorithm must be the same as required by the security application. 
Receiver
Key
Plain text Cipher text Plain text
Sender
Encryption Decryption
Key