[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [MSEC] Re: mluticast authentication using AH
Dan McDonald writes:
> > > > AH SHOULD HAVE supported authentication with digital signatures.
> > >
> > >There's nothing, I believe, about AH that prevents digital signatures from
> > >being used.
> > >
> > >The Authentication Data area can be made up to 1016 bytes (just shy of
> > >8kbits) per 2402. That should be plenty of room for a digital signature.
> > >
> > >Dan
> >
> > How is this signalled?
>
> It's part of the IPsec Security Association data. Per 2401, an SA is indexed
> by the tuple <AH, SPI, IP destination address>. When you add the appropriate
> SA, you get all sorts of data, including the algorithm.
>
> All one would need to do is write a new "algorithm document" for using a
> digital signature with AH. It shouldn't be tough, and if I had cycles (HAH!)
> I could easily prototype one in Solaris.
Yep. This is doable. But, I would advise against it. It would require
some kind of higher math (bignum, ecc, etc) on every packet. Someone
could very easily start forging packets and bring pretty much any
machine ever made to a halt.
But, it would make key exchange unnecessary, so it could be worth trying.
chris stillson
IPSEC crypto monkey
x82477
Note: Preceding comments written by an engineer. There is nothing
to read into them. He really has no hidden motives or agendas.
1.Right Understanding 2.Right Thoughts 3.Right Speech 4.Right Action
5.Right Livelihood 6.Right Effort 7.Right Mindfulness 8.Right Concentration
--Please inform author if he has forgotten about any of these
References: