Version 4.1 - 2.0 RSA
RSA is being covered separately since it's different from the others. When you think RSA, think Public Key - Private Key. The Public Key is given to everyone. The Private Key is the one you must secure. Anything encrypted using your Public Key can only be decrypted with your Private Key. So anything that someone wants to send to you should be encrypted with your Public Key - since only you would be able to decrypt it. Anything that you want to send out should be signed with your Private Key - since everyone can use your Public Key to decrypt / validate and know that only you could have encrypted it (non-repudiation).
Creating the key pairs uses the "crypto key generate rsa" command. This creates RSA key pairs for signing and encryption.
R1(config)#crypto key generate rsa ?
encryption Generate a general purpose RSA key pair for signing and encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and encryption
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
Crypto key zeroize clears the keys so you can generate a new pair. You have to set the hostname and domain name of the device to generate keys. If you change the domain name on the device, you must zeroize and generate new keys. These keys are used to implement SSH. In order to implement SSHv2, the modulus must be greater than or equal to 768 (I normally use 1024).
The Wikipedia page for RSA points out that this is asymmetrical encryption. [RSA and El Gamal are the only asymmetrical encryption algorithms mentioned in most study guides.] It is based on the difficulty of factoring very large prime numbers.
Note that with the RSA algorithm, the encryption and decryption process is relatively slow. The upside is that it is more robust than symmetric encryption. So the optimization of the process is to use asymmetric encryption to encrypt symmetric keys. The faster symmetric keys are used for encryption / decryption of data.
Person A and Person B want to communicate securely over an insecure medium. Both generate public / private key pairs. Person A creates a symmetric key to use for the data. The message containing the key is signed with A's private key and encrypted with B's public key. B gets the message and is the only one with the private key to decrypt it. B now has the decrypted symmetric key and can validate A's signature with A's public key. They now both have a symmetric key (to more quickly encrypt / decrypt this data) that has not been sent "in the clear" over the insecure medium.
As wonderful as this sounds, there are attacks against this system. I looked through these attacks and I doubt that anything on them would pop up. However I found the Chinese remainder theorem very interesting. I can see the factoring attacks becoming more feasible as computing power grows. The "faulty key generation" attacks focus on weaknesses in the implementation of the algorithm, mainly relying on special cases where the private key is relatively small. The importance of random number generation sounds simple and obvious, but I do remember some material that I went over years ago that explained just how difficult is was to have a computer generate a truly random number. Computers calculate and can easily generate numbers that _seem_ random, but in order to generate _any_ number, a computer must have a set of instructions.
This is not a particularly long section, but a lot of this I wrote off the top of my head. I think between experience and covering this in many of my previous certification tests, this section should not be a problem for me.
Update: A double-check of my notes on Asymmetric Encryption adds more to this section.
What I wanted to point out with this graphic is that RSA is an encryption algorithm and a signature algorithm.