Installing SKIP Unsigned Diffie-Hellman (UDH) Certificates
Once SKIP has been installed, you must install at least one local identity (public-private key pair) for your host. The following procedure creates a SKIP UDH certificate, which is the one you will most likely use. For a more detailed discussion of SKIP UDH certificates, see Appendix B, How SKIP Works.
Chapter 2 discusses keys, certificates, and hashes in greater detail. If you are installing other kinds of keys and certificates, see the documentation that is supplied with them or contact the vendor. If you are installing keys and certificates from Sun Microsystems, see Chapter 2, Installing Keys and Certificates.
The skiplocal command creates and manages all local key types, including UDH certificates, on your system. You can have more than one UDH certificate on your system. Your local identities can also be of different lengths (moduli), depending on the version of SunScreen SKIP that you have. The default will always be the largest modulus you can generate.
Note -
Local secret is the term used for an encryption certificate and key.
Initialize SKIP Directories
On a first-time SKIP installation, you must initialize the SKIP directories before you create any certificates.
Issue the following command to initialize the SKIP directories:
skiplocal -i |
Generating a UDH Keypair
To generate an UDH key pair locally, type:
skiplocal -k |
Note -
If you have local identities of different strengths, such as 512 bits, 1024 bits), and 2048 bits or 4096 bits), use the argument -m followed by the bit size of the modulus without an intervening space as in the following figure.
When generating an unsigned certificate, no authority exists to certify the identities. This means that each party must verify the name of the certificate over the telephone or some other trusted channel. Without verification through a secure channel, you have no way of knowing if the certificate belongs to the correct party or not.
In the following figure, the skiplocal -k command is used to generate a local key pair, in this case with a 512-bit modulus.
Example 1-1 512-bit Modulus
# skiplocal -k -m 512 generating local secret with 512 modulus size It would help the quality of the random numbers if you would type 50-100 random keys on the keyboard. Hit return when you are done. 100 Format: Hashed Public Key (MD5) Name/Hash: 9e 23 db 35 a2 c2 d8 17 20 19 21 99 3d c9 06 e1 Not valid Before: Sun Aug 25 17:00:00 1996 Not valid After: Sat Aug 25 17:00:00 2001 g: 2 p: f52aff3ce1b1294018118d7c84a70a72d676c40319c807297aca950cd9969fabd00a509b0246 d3083d66a45d419f9c7cbd894b221926baaba25eca55e92a055f public key: 0b5522b769b3d2b8098e69312a941ce7e6de9e1635ca09dd780b328db71141739e9bb46a3 d0d183372d98d7c2a0d850b70fad05edaaaa865ae5dddf618cadbff Added local identity slot 0 |
Printing out Local Information
To print out local information in a shareable form, type:
skiplocal -x |
In the following figure, the skiplocal -x command prints out the local system's current information in a form that can be sent (for example, via email) to other users who wish to communicate with you.
Caution - The defaults proposed by skiplocal -x work well if you and the party with whom you wish to communicate have one key and one network interface. If you have some other configuration, you should not use skiplocal -x.
A safer solution than using skiplocal -x is to have each user run skiptool and then call each other on the telephone and type the other person's key ID in the Remote Key ID field in the add window (See Chapter 3, Using the skiptool GUI).
In the following example, the first command shows you the local information. The next command redirects that information to a mail message sent to a machine that wishes to communicate with you using SKIP. The person receiving the message copies the information and pastes it into the command line, which adds an ACL entry for your host.
Example 1-2 Sending and Loading an ACL Entry
On local machine (mysun) display ACL entry in export format # skiplocal -x skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8 -s 8 -k des-ede-k3 -t des-cbc -m md5 Mail above text to the username@host # skiplocal -x| mail username@host On peer machine (host) execute skiphost command from mail message sent by mysun # skiphost -a mysun -R 0x24be59e388dadfa6814885d1e5f79de9 -r 8 -s 8 -k des-ede-k3 -t des-cbc -m md5 Result: Adding mysun: SKIP params: IP mode: tunneling Tunnel address mysun Kij alg: DES-EDE-K3 Crypt alg: DES-CBC MAC alg: MD5 Receiver NSID MD5 (DH Pub. Value) Receiver key id 0x24be59e388dadfa6814885d1e5f79de9 Sender NSID MD5 (DH Pub. Value) done. |
Caution - Even when using skiplocal -x, make sure you both verify the key ID over the telephone with the other party to make sure no one is impersonating them.
Listing the Current Local Identities
To list the current local identities, type:
skiplocal -l |
In the following figure, the skiplocal -l command is used to list the current local identities.
Example 1-3 Listing All Local Identities
# skiplocal -l Local ID Slot Name: 0 Type: Software Slot NSID: 8 MKID (name): 24be59e388dadfa6814885d1e5f79de9 Not Valid Before: Tue Aug 6 17:00:00 1996 Not Valid After: Mon Aug 6 17:00:00 2001 Modulus size: 2048 bits Local ID Slot Name: 1 Type: Software Slot NSID: 8 MKID (name): 8ace505b602127f38e08f74f13d0c915 Not Valid Before: Sun Aug 25 17:00:00 1996 Not Valid After: Sat Aug 25 17:00:00 2001 Modulus size: 2048 bits Local ID Slot Name: 2 Type: Software Slot NSID: 8 MKID (name): 9e23db35a2c2d817201921993dc906e1 Not Valid Before: Sun Aug 25 17:00:00 1996 Not Valid After: Sat Aug 25 17:00:00 2001 Modulus size: 512 bits # |
For more information on the skiplocal command, refer to Chapter 4, Using the Command-Line Interface and to the man pages for SunScreen SKIP.
Note -
If you installed an UDH certificate during installation, the information in Chapter 2, Installing Keys and Certificates will not apply to you unless you also plan to install SunCA keys and certificates. You can use SKIP UDH certificates and SunCA keys and certificates at the same time with SunScreen SKIP.
- © 2010, Oracle Corporation and/or its affiliates