[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-01.txt

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-01.txt
From: "Simon Blake-Wilson" <sblakewilson@certicom.com>
Date: Wed, 8 Nov 2000 12:45:07 -0500
cc: "Paul Fahn" <pfahn@certicom.com>, ipsec list <ipsec@lists.tislabs.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Hugo,

Thanks. We didn't intend to imply that ECDSA provides non-repudiation within
IKE, rather that in general ECDSA can help provide non-repudiation in the same
way other signature schemes can help provide non-repudiation. In the context,
the text is misleading, and we'll do our best to fix it.

Best regards. Simon





Hugo Krawczyk <hugo@ee.technion.ac.il> on 11/07/2000 07:12:11 AM

To:   Paul Fahn/Certicom@Certicom
cc:   ipsec list <ipsec@lists.tislabs.com> (bcc: Simon Blake-Wilson/Certicom)
Subject:  Re: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-01.txt




> A New Internet-Draft is available from the on-line Internet-Drafts
directories.
> This draft is a work item of the IP Security Protocol Working Group of the
IETF.
>
>    Title          : IKE Authentication Using ECDSA
>    Author(s) : S. Blake-Wilson, P. Fahn
>    Filename  : draft-ietf-ipsec-ike-auth-ecdsa-01.txt
>    Pages          : 5
>    Date      : 06-Nov-00
>
> This document describes how the Elliptic Curve Digital Signature
> Algorithm (ECDSA) may be used as the authentication method within
> the Internet Key Exchange (IKE) protocol. ECDSA provides
> authentication and non-repudiation with benefits of computational

While ECDSA can provide non-repudiation when used appropriately,
it cannot guarantee that property, in general, when used in the cotext of
the signature authentication mode of IKE. The reason is that
BY DESIGN this mode does NOT guarantee non-repudiation regardless
of the signature scheme. Indeed the input to the signature is the
output of a PRF. For certain PRFs (e.g. 3DES, Rijndael) the
combination with the signature results in a repudable signature.
Non-repudiation was a no-goal for IKE. Actually ensuring non-repudiation
can be viewed as a privacy weakness (as it gives a "proof of
communication"). If one still wants to provide non-repudiation
then using HMAC as the PRF with a hash function that provides
collision-resistance will achieve that.

Hugo


> efficiency, small signature sizes, and minimal bandwidth, compared
> to other available digital signature methods. This document adds
> ECDSA capability to IKE without introducing any changes to existing
> IKE operation.
>

Prev by Date: Re: consistency in naming for elliptic curves...
Next by Date: RE: Out of Sync Security Policies - Design Flaw
Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-01.txt
Next by thread: consistency in naming for elliptic curves...
Index(es):
- Main
- Thread