Downloads |
Table Of Contents
Digitally Signed Cisco Software
Restrictions for Digitally Signed Cisco Software
Information About Digitally Signed Cisco Software
Features and Benefits of Digitally Signed Cisco Software
Digitally Signed Cisco Software Identification
How to Work with Digitally Signed Cisco Software Images
Identifying Digitally Signed Cisco Software
Displaying Digitally Signed Cisco Software Signature Information
Displaying Digital Signature Information for a Specific Image File
Displaying Digitally Signed Cisco Software Key Information
Troubleshooting Digitally Signed Cisco Software Images
Configuration Examples for Digitally Signed Cisco Software
Identifying Digitally Signed Cisco Software: Example
Displaying Digitally Signed Cisco Software Signature Information: Example
Displaying the Digital Signature Information for a Specific Image File: Example
Displaying Digitally Signed Cisco Software Key Information: Example
Enabling Debugging of Digitally Signed Cisco Software Image Key Information: Example
Feature Information for Digitally Signed Cisco Software
Digitally Signed Cisco Software
First Published: October 2, 2009Last Updated: October 2, 2009Cisco is advancing the technology available to verify and validate the software origin and integrity for system software that is loaded into Cisco products. Newer products are being outfitted with software verification technology and software is being digitally signed using secure asymmetrical (public-key) cryptography—such software is referred to as digitally signed software. The Digitally Signed Cisco Software feature describes how to identify digitally signed Cisco software and gather software authentication related to it.
The goal is to ensure that customers are confident that the software running within their systems is secure and tamper-free, and that the software running in those systems originated from the trusted source as claimed.
No action is necessary for customers to take advantage of the increased protection. The system operation is largely transparent to existing practices. Some minor changes in system displays reflect the use of digitally signed Cisco software.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Digitally Signed Cisco Software" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Restrictions for Digitally Signed Cisco Software
•
•
•
•
Restrictions for Digitally Signed Cisco Software
The Cisco 19xx Series, 29xx, and 39xx Series Routers include the functionality described in this document.
Information About Digitally Signed Cisco Software
This section contains information on the following topics:
•
•
Features and Benefits of Digitally Signed Cisco Software
Three main factors drive digitally signed Cisco software and software integrity verification:
•
•
•
Digitally Signed Cisco Software Identification
Digitally signed Cisco IOS software is identified by the three-character extension in the image name. The Cisco software build process creates a Cisco IOS image file that contains a file extension based on the signing key that was used to sign images. These file extensions are:
•
•
The significance of each character in the file extension is explained in Table 1.
How to Work with Digitally Signed Cisco Software Images
This section contains the following tasks:
•
•
•
•
•
Identifying Digitally Signed Cisco Software
Perform this task to identify digitally signed Cisco software by examining the image filename in the command output from the show version command, and judging it on the criteria described in the "Digitally Signed Cisco Software Identification" section.
Note
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying Digitally Signed Cisco Software Signature Information
Use this task to display information related to software authentication for the current ROM monitor (ROMMON), mono-library (monlib), and the Cisco IOS image file used for booting. The information displayed includes image credential information, the key type used for verification, signature information, and other attributes in the signature envelope.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying Digital Signature Information for a Specific Image File
Use this task to display the digital signature information related to software authentication for a specific image file.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying Digitally Signed Cisco Software Key Information
Use this task to display digitally signed Cisco software key information. The information details the software public keys that are in storage with the key types.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Troubleshooting Digitally Signed Cisco Software Images
Perform this task to troubleshoot problems with digitally signed Cisco software images.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for Digitally Signed Cisco Software
This section contains the following configuration examples:
•
•
•
•
•
Identifying Digitally Signed Cisco Software: Example
The following example displays the digitally signed Cisco software image filename and allows a user to identify it based on the digitally signed Cisco software identification criteria.
Router# show versionCisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M),12.4(20090904:044027) [i12 577]Copyright (c) 1986-2009 by Cisco Systems, Inc.Compiled Fri 04-Sep-09 09:22 by xxxROM: System Bootstrap, Version 12.4(20090303:092436)C3900-2 uptime is 8 hours, 41 minutesSystem returned to ROM by reload at 08:40:40 UTC Tue May 21 1901!System image file is "xxx.SPA"Last reload reason: Reload CommandThis product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email toexport@cisco.com.Cisco xxx (revision 1.0) with CISCxxx with 987136K/61440K bytes of memory.Processor board ID xxx3 Gigabit Ethernet interfaces1 terminal line1 Virtual Private Network (VPN) Module1 cisco Integrated Service Engine(s)DRAM configuration is 72 bits wide with parity enabled.255K bytes of non-volatile configuration memory.1020584K bytes of USB Flash usbflash0 (Read/Write)1020584K bytes of USB Flash usbflash1 (Read/Write)500472K bytes of ATA System CompactFlash 0 (Read/Write)License Info:License UDI:-------------------------------------------------Device# PID SN-------------------------------------------------xx xxx xxxxTechnology Package License Information for Module:'xxx'----------------------------------------------------------------Technology Technology-package Technology-packageCurrent Type Next reboot-----------------------------------------------------------------ipbase ipbasek9 Permanent ipbasek9security securityk9 Evaluation securityk9uc None None Nonedata None None NoneConfiguration register is 0x2102Note the digitally signed image file is identified in the following line:
System image file is "xxx.SPA"The image has a three-character extension in the filename (.SPA) characteristic of digitally signed Cisco software.
Displaying Digitally Signed Cisco Software Signature Information: Example
The following example shows how to display information related to software authentication for the current ROM monitor (ROMMON), mono-library (monlib) and Cisco IOS image file used for booting.
Router# show software authenticity runningSYSTEM IMAGE-------------------Image type : DevelopmentSigner InformationCommon Name : xxxOrganization Unit : xxxOrganization Name : xxxCertificate Serial Number : xxxHash Algorithm : xxxSignature Algorithm : 2048-bit RSAKey Version : xxxVerifier InformationVerifier Name : ROMMON 2Verifier Version : System Bootstrap, Version 12.4(20090409:084310)ROMMON 2---------------Image type : xxxSigner InformationCommon Name : xxxOrganization Unit : xxxOrganization Name : xxxCertificate Serial Number : xxxHash Algorithm : xxxSignature Algorithm : 2048-bit RSAKey Version : xxVerifier InformationVerifier Name : ROMMON 2Verifier Version : System Bootstrap, Version 12.4(20090409:084310) [Table 2 describes the significant fields shown in the display.
Displaying the Digital Signature Information for a Specific Image File: Example
The following example shows how to display the digital signature information related to software authentication for a specific image file.
Router# show software authenticity file flash0:c3900-universalk9-mz.SSA
File Name : flash0:c3900-universalk9-mz.SSAImage type : DevelopmentSigner InformationCommon Name : xxxOrganization Unit : xxxOrganization Name : xxxCertificate Serial Number : xxxHash Algorithm : SHA512Signature Algorithm : 2048-bit RSAKey Version : ATable 3 describes the significant fields shown in the display.
Displaying Digitally Signed Cisco Software Key Information: Example
The following example displays digitally signed Cisco software key information. The information details the software public keys that are in storage with the key types.
Router# show software authenticity keys
Public Key #1 Information-------------------------Key Type : Release (Primary)Public Key Algorithm : RSAModulus :CC:CA:40:55:8C:71:E2:4A:3A:B6:9D:5C:94:1D:02:BA:...26:04:6B:33:EB:70:2B:18:24:C7:D9:31:3E:77:24:85Exponent : xxxKey Version : APublic Key #2 Information-------------------------Key Type : Development (Primary)Public Key Algorithm : RSAModulus :CC:CA:40:55:8C:71:E2:4A:3A:B6:9D:5C:94:1D:02:BA:....26:04:6B:33:EB:70:2B:18:24:C7:D9:31:3E:77:24:85Exponent : xxxKey Version : Adescribes the significant fields shown in the display.
Enabling Debugging of Digitally Signed Cisco Software Image Key Information: Example
The following example shows how to enable debugging of software authentication events relating to key information for digitally signed Cisco software:
Router# debug software authenticity keyAdditional References
The following sections provide references related to the Digitally Signed Cisco Software feature.
Related Documents
Overview of Cisco IOS software activation
Commands related to Cisco IOS software activation
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Digitally Signed Cisco Software
Table 5 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
