[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
digital signature description in IKE draft
A comment on the text in Section 6.1.1.2, "Main Mode Authentication with
Digital Signatures" of draft-ietf-ipsec-ike-01.txt
I don't think the redefinitions of the usual notions of digital
signatures are explicit enough and consequently, I think the text is
confusing. Assuming that I have an accurate understanding of what's
intended, I suggest that the text after the message exchange diagram
read:
----- begin -----
Where SIG_I and SIG_R are digital signatures of I-digest and R-digest
(section 4.1), respectively, and are presented in a signature payload.
Note that, in general, the signature will be computed directly over the
I-digest or R-digest, which are generated by the pseudo-random
function. However, if the signature algorithm is tied to a particular
hash algorithm, then the digest should be computed using that particular
hash algorithm. In other words, instead of computing the digest as
digest = prf(key|msg), the digest should be computed as digest =
hash(key|msg).
For example, when using DSA signatures, SHA-1 must be used in place of
the prf to compute the I-digest and R-digest (DSA is only defined with
SHA-1). Furthermore, the DSA signature MUST be encoded as the value "r"
followed by the value "s" where "r" is computed as usual, but where
"s" = (k^(-1))(digest + xr) mod q.
When using RSA signatures, SIG_I and SIG_R are actually private key
encryptions where the I-digest and R-digest are encoded by the PKCS #1
v2.0 (OAEP) method used for encryption, rather than by the method used
for signatures ([PKCS1]). Note that there is no correlation between the
hash OIDs used in [PKCS1] and those used in this document; however,
since the prf is known, there is no need to encode the OID into the
signature. See Section 9, "Security Considerations", for PKCS1 padding
requirements.
----- end -----
Desiree Beck
NSA
dbeck@radium.ncsc.mil