[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2-07 Comment on Signature Usage

To: Charlie_Kaufman@notesdev.ibm.com
Subject: Re: IKEv2-07 Comment on Signature Usage
From: Russ Housley <housley@vigilsec.com>
Date: Mon, 26 May 2003 01:19:52 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <OF133918F2.1BDE3992-ON85256D22.0009005C-85256D22.0009FE1B@notesdev.ibm.com>
References: <5.2.0.9.2.20030509171300.038cf0e8@mail.binhost.com>
Sender: owner-ipsec@lists.tislabs.com

Charlie:

Your proposed action resolves my concern.

Russ


> > IKEv2-07 says:
> >
> >     Optionally, messages 3 and 4 MAY include a certificate, or
> >     certificate chain providing evidence that the key used to compute a
> >     digital signature belongs to the name in the ID payload. The
> >     signature or MAC will be computed using algorithms dictated by the
> >     type of key used by the signer, an RSA-signed PKCS1-padded-hash for
> >     an RSA digital signature, a DSS-signed SHA1-hash for a DSA digital
> >     ...
> >
> > Unfortunately, this does not really work.  Consider a certificate with an
>
> > RSA public key.  The subject public key info contains the rsaEncryption
> > algorithm identifier.  This public key can be used to validate signatures
>
> > generated with PKCS #1 version 1.5 or PSS.  And, each of these signature
> > algorithms can be used with many different one-way hash functions.
> >
> > A signature value needs to be coupled with an algorithm identifier.
> >
> > Russ
> >
>I agree. There is a one byte field in the AUTH payload called Auth Method
>that could be used to specify the algorithm. Currently, it has three
>defined values: 1=RSA signature formatted using PKCS#1; 2=PRF computed
>using the shared key; and 3=DSS signature currently specified as "using a
>DSS private key over a SHA-1 hash" (I believe the DSS signature standard
>(unlike RSA) specifies the padding and the use of a SHA-1 hash).
>
>If I changed the wording of the text you quoted to list those as examples
>rather than mandates with a pointer to section 3.8, and changed section 3.8
>to specify that in the future new codes could be assigned to existing key
>types, would that satisfy your concern?
>
>Related issues: should these algorithms be listed in the algorithms spec
>instead of or in addition to this one, and should we define a code for PSS
>signatures now or should it wait? (And is there an RFC to reference?).
>
>       --Charlie

References:
- IKEv2-07 Comment on Signature Usage
  - From: Russ Housley <housley@vigilsec.com>
- Re: IKEv2-07 Comment on Signature Usage
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: About representation of IPv6 address in Traffic Selector in IKEv2
Next by Date: Re: About representation of IPv6 address in Traffic Selector in IKEv2
Prev by thread: Re: IKEv2-07 Comment on Signature Usage
Next by thread: Re: IKEV2 - INVALID_KE_PAYLOAD not defined
Index(es):
- Date
- Thread