Cisco Cisco IOS XE 3.5E
Key Revocation
Key revocation is the process of removing a key from operational use in digitally signed Cisco software.
Key revocation takes place when a key becomes compromised or is no longer used. Key revocation and replacement is only necessary
in the event of a certain type of vulnerability or catastrophic loss to Cisco's secure key infrastructure. Operational steps to remedy
the situation would only be necessary if notified and directed by Cisco. Notification and direction would occur through posting of
advisories or field notices on www.cisco.com.
in the event of a certain type of vulnerability or catastrophic loss to Cisco's secure key infrastructure. Operational steps to remedy
the situation would only be necessary if notified and directed by Cisco. Notification and direction would occur through posting of
advisories or field notices on www.cisco.com.
There are two different key revocation processes depending on the type of key to be revoked:
• Production key replacement uses a revocation image and a production image
• Special key replacement uses a production image
Key Replacement
Key replacement is the process of providing a new key to replace a compromised key. The new key is added before the compromised
key is revoked. Key replacement is a two-step process:
key is revoked. Key replacement is a two-step process:
1
A new key is added to the key storage to replace the revoked key.
2
After the image is verified as operating correctly with the new key, the compromised key is revoked from the key storage.
Key Revocation Image
A revocation image is a basic version of the normal image whose function is to add a new production key to the key storage area. A
revocation image has no other capabilities. When a key is to be revoked and replaced, one revocation image per key is provided.
revocation image has no other capabilities. When a key is to be revoked and replaced, one revocation image per key is provided.
A revocation image contains a new production key bundled within it.
A rollover key stored on the platform is used to verify the signature of the revocation image--a valid revocation image is signed using
the same rollover key.
the same rollover key.
A revocation image can be used only in production key revocation.
Note
Important Tasks Concerning the Revocation Image
There are two important tasks concerning the revocation image:
There are two important tasks concerning the revocation image:
• Adding the new production key to the key storage area.
• Performing a production key upgrade check. For more information, see Step 2 in the “Production Key Revocation”.
Adding the New Production Key to the Key Storage Area:
The revocation image adds the bundled production key to the key storage. The key is written to the primary and backup key storage
areas after the revocation image checks that the key is already not part of the existing set of keys in the key storage.
areas after the revocation image checks that the key is already not part of the existing set of keys in the key storage.
4